[22.x] guix: ignore additional failing certvalidator test #24215
Conversation
======================================================================
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
validate_path(context, path)
File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
return _validate_path(validation_context, path)
File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z
Github-Pull: bitcoin#24057
Rebased-From: 8588591
|
I did a a Guix clean followed by: env HOSTS='x86_64-apple-darwin' ./contrib/guix/guix-buildThis succeeds, but code-sign doesn't: env HOSTS='x86_64-apple-darwin' ./contrib/guix/guix-codesign
Checking that we can connect to the guix-daemon...
Hint: If this hangs, you may want to try turning your guix-daemon off and on
again.
INFO: Codesigning b7ecef1ddf0c for platform triple x86_64-apple-darwin:
...using reference timestamp: 1642652187
...from worktree directory: '/home/guix/bitcoin'
...bind-mounted in container to: '/bitcoin'
...in build directory: '/home/guix/bitcoin/guix-build-b7ecef1ddf0c/distsrc-b7ecef1ddf0c-x86_64-apple-darwin-codesigned'
...bind-mounted in container to: '/distsrc-base/distsrc-b7ecef1ddf0c-x86_64-apple-darwin-codesigned'
...outputting in: '/home/guix/bitcoin/guix-build-b7ecef1ddf0c/output/x86_64-apple-darwin-codesigned'
...bind-mounted in container to: '/outdir-base/x86_64-apple-darwin-codesigned'
...using detached signatures in: '/home/guix/bitcoin-detached-sigs'
...bind-mounted in container to: '/detached-sigs'
Required environment variables as seen inside the container:
UNSIGNED_TARBALL: /outdir-base/x86_64-apple-darwin/bitcoin-b7ecef1ddf0c-osx-unsigned.tar.gz
DETACHED_SIGS_REPO: /detached-sigs
DIST_ARCHIVE_BASE: /outdir-base/dist-archive
DISTNAME: bitcoin-b7ecef1ddf0c
HOST: x86_64-apple-darwin
SOURCE_DATE_EPOCH: 1642652187
DISTSRC: /distsrc-base/distsrc-b7ecef1ddf0c-x86_64-apple-darwin-codesigned
OUTDIR: /outdir-base/x86_64-apple-darwin-codesigned
/gnu/store/q3y2bpd61bvb7d0g9ils1zi6pax5yvb1-python-elfesteem-0.1-1.87bbd79/lib/python3.8/site-packages/elfesteem/cstruct.py:412: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if name is not '' and not name in table: table[name] = {}
/gnu/store/q3y2bpd61bvb7d0g9ils1zi6pax5yvb1-python-elfesteem-0.1-1.87bbd79/lib/python3.8/site-packages/elfesteem/cstruct.py:415: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if name is not '':
Code signature applied
Traceback (most recent call last):
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/bin/.signapple-real", line 11, in <module>
load_entry_point('signapple==0.1.0', 'console_scripts', 'signapple')()
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/__init__.py", line 112, in main
args.func(args)
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/__init__.py", line 36, in apply
verify(args)
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/__init__.py", line 10, in verify
verify_mach_o_signature(args.filename)
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/verify.py", line 227, in verify_mach_o_signature
_verify_single(filepath, header)
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/verify.py", line 161, in _verify_single
_validate_code_hashes(f, sig_superblob.code_dir_blob)
File "/gnu/store/vsi3743mm41cfdv0zmap6p2qfsqylcmx-python-signapple-0.1-1.b084cbb/lib/python3.8/site-packages/signapple/verify.py", line 54, in _validate_code_hashes
raise Exception(
Exception: Code slot hash mismatch. Expected 8cdb98ee7dbd9c1a5b021603c4b0ef933a31717f57884bc3a72536257e4d53dd, Calculated 95bcde7c12f864fcf3de59c87142b9fde1b728328a48cd923023381b730b4eabSome hashes: |
|
cc @dongcarl |
|
I've also updated the certvalidator fork we use to have passing tests. |
Maybe #21851 (comment) and #22546 ? |
|
Wondering if we should just switch to achow's achow101/certvalidator@e5bdb4b instead? |
Isn't that the version we are already using? |
I think you mean achow101/certvalidator@a145bf2
The error you get there is because the detached sig it is using is for a different release. signapple does not know that the detached sig is not for the binary you have built.
The tool that this patch is fixing. |
|
I think we could switch to the newer certvalidator branch in master, and then re-enable tests. However for |
|
My hashes match those in the PR description, but those don't include the signed DMG. I guess I'm confused about what certificate related problem this PR is solving. |
If you Guix build the current 22.x branch, from scratch (so that
They don't need to. You don't need to run the code-sign step at all to verify this fixing what it's supposed to be fixing. |
|
What is |
https://github.com/wbond/certvalidator: "A Python library for validating X.509 certificates or paths. ". We use a fork maintained by achow. It's a dependency of sign-apple. |
I did a |
|
Concept ACK b7ecef1 Seems good to make it possible to compile the branch again |
You need to Guix build such that the python-certvalidator package is actually built, and the tests run. I am going to merge this now to un-break from-scratch builds. |
6 participants
Backports 8588591 from #24057 so that from-scratch Guix builds for the Darwin host aren't broken due to a (very recently) expired certificate causing one of the python-certvalidator tests to fail. Kept separate from #23276 because that hasn't gotten review attention, and I don't think we should leave
22.xDarwin Guix builds broken for any longer than we have to.Fixes #24110.
Guix Build: