OS X Gitian concerns

Post Reply
biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

OS X Gitian concerns

Post by biolizard89 »

I've been looking at the procedure for building Bitcoin Core for OS X. I have some concerns about this. Each Gitian builder needs to have access to an OS X machine in order to extract an Apple SDK. I believe I can get OU to give me access to an OS X machine to do this, but I graduate this year and I will definitely not be buying any Apple products. So if the SDK version changes after I graduate, I may not be able to build OS X anymore. Other issue is that the SDK is under a nonfree license. I haven't yet read what Apple's SDK license restrictions are, but knowing Apple, I would not be surprised if they're completely unacceptable. I'm aware that some Apple licenses contain NDA's or clauses that forbid taking legal action against Apple. Either of these is a dealbreaker for me.

Of course then there's the additional issue of paying Apple for a signing key. We can distribute unsigned OS X binaries, but these have usability issues. I will not pay Apple for a signing key, as I don't want to encourage this kind of cartel-style business model.

Thoughts?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

cassini
Posts: 336
Joined: Sun May 26, 2013 6:36 pm

Re: OS X Gitian concerns

Post by cassini »

Who is this "Apple keyholder" for the Bitcoin build? I'm wondering if he can do us a favour:

Code: Select all

As of OS X Mavericks (10.9), using an Apple-blessed key to sign binaries is a
requirement in order to satisfy the new Gatekeeper requirements. Because this
private key cannot be shared, we'll have to be a bit creative in order for the
build process to remain somewhat deterministic. Here's how it works:

- Builders use Gitian to create an unsigned release. This outputs an unsigned
  dmg which users may choose to bless and run. It also outputs an unsigned app
  structure in the form of a tarball, which also contains all of the tools
  that have been previously (deterministically) built in order to create a
  final dmg.
- The Apple keyholder uses this unsigned app to create a detached signature,
  using the script that is also included there.
- Builders feed the unsigned app + detached signature back into Gitian. It
  uses the pre-built tools to recombine the pieces into a deterministic dmg.
(see https://github.com/bitcoin/bitcoin/blob ... ME_osx.txt , last paragraph)

josephbisch
Posts: 69
Joined: Sun Nov 23, 2014 3:34 pm
os: linux

Re: OS X Gitian concerns

Post by josephbisch »

cassini wrote:Who is this "Apple keyholder" for the Bitcoin build? I'm wondering if he can do us a favour:
The document used to say it was Gavin Andresen, but it was changed to just read "Apple keyholder". I can't find it now, but I remember a PR or issue on GitHub that asked about the change and the person asking didn't get a response that answered the question.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: OS X Gitian concerns

Post by biolizard89 »

josephbisch wrote:
cassini wrote:Who is this "Apple keyholder" for the Bitcoin build? I'm wondering if he can do us a favour:
The document used to say it was Gavin Andresen, but it was changed to just read "Apple keyholder". I can't find it now, but I remember a PR or issue on GitHub that asked about the change and the person asking didn't get a response that answered the question.
My understanding is that the Apple and Windows keys were issued to Bitcoin Foundation. I wouldn't be surprised if that's changed now that Gavin has been replaced by Wladimir. FWIW, https://github.com/bitcoin/bitcoin-deta ... its/master only shows commits by Cory Fields, though that doesn't mean that he holds the private key, only that he posted the signatures to GitHub.

Don't bother Cory about anything Namecoin related; I think he's slightly annoyed at us because we haven't yet had time to stop our Travis CI scripts from eating Bitcoin's bandwidth. (Honoring his request is on my to-do list, so once that's done, presumably Cory will be happier with us.)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply