Restore secure downloads and git tags

[luke-jr]

Git tags: Only signed by compromised key.

• Find someone who fetched before compromise to verify: posted below
• Re-sign them, maybe with new names (but this could break deterministic builds).

v21.2: Only signed by compromised key. Requires gitian to build.

• Find multiple others who can sign.
• Possibly add .patches.txz file to signatures

v23.0: @laanwj built already, but should have multiple signatures.

• Figure out solution to source tarball non-determinism: achow101 has a workaround here
• Get more signers (builders, please note above workaround, and verify the tags match what laanwj posted!)
• Possibly add .patches.txz file to signatures

[luke-jr]

@laanwj: You presumably fetched Knots to build v23.0. Have you fetched since then, or should your local tags be untouched? Can you verify the commit hashes of at least the current tags?

[laanwj]

@laanwj, would you be okay with being the sole signature to verify on these?

I'd really prefer not to be the single point of failure in any of these things.

You presumably fetched Knots to build v23.0. Have you fetched since then, or should your local tags be untouched?

I haven't fetched since then, so the tags i have should be untouched:

2e9b08035d8ce00eff78d9b85f79aaa7f37adec0 refs/tags/v0.12.0.knots20160226.rc1
30e8be17f4592af3ed4e16b1fc8ae8e42857c93d refs/tags/v0.12.1.knots20160629.rc2
ae5c5e318dabbbb27b20dd17ad3c7a4a783c7f54 refs/tags/v0.13.0.knots20160814
e69004bce17f38e5f8b2d177bf5bfb5a5bcea033 refs/tags/v0.13.1.knots20161027
1bad5823fb24271110a6b2266019f62ebba888a7 refs/tags/v0.13.2.knots20170102
871c7ce223003cc729006707df13733b6f434b98 refs/tags/v0.14.0.knots20170307
744e9d4e9c6dd5079c90c31c8b375bbe7e1949f1 refs/tags/v0.14.1.knots20170420
d86762dca3b0d0583caacbb988bb33921e0c8127 refs/tags/v0.14.2.knots20170618
98ded41717d672791e5f78d6d03e24284d65f437 refs/tags/v0.15.0.knots20170914
22dc6780b17e1acec0b6b8d97d1da671d8f8d756 refs/tags/v0.15.1.knots20171111
f04ed9c68b8fc77fffe259faf12b8b029ad00a66 refs/tags/v0.16.0.knots20180322
5e4d4fb1054db5bda8f6aa604c3e877f851ab6fc refs/tags/v0.16.1.knots20180721
94d0f0be57b765a04ddba515eca6b0fb018dbfec refs/tags/v0.16.2.knots20180730
b22a19c6a60cde21dd4b29893e233a8da1cf4b82 refs/tags/v0.16.3.knots20180918
e10d8459e9a291fdf861dda4bffffb1b84581f1a refs/tags/v0.17.1.knots20181229
1d69dbacddb8a0dcc4a62be9f0ffad34d57bd65a refs/tags/v0.18.0.knots20190502
3b7e045fbda983be63686434be343f031eba3acc refs/tags/v0.18.1.knots20190920
5b606e3cdf67f6b7b03a5df63e70d374ad780fb1 refs/tags/v0.19.0.1.knots20200104
73a1a5ac78590649b2c4d526ef866ef5a3960826 refs/tags/v0.19.1.knots20200304
9520fd7cbe4e3ef8a2900cd1d49fef5d0d850251 refs/tags/v0.20.0.knots20200614
52180467b28cd754abc67790c45835eb9b43646b refs/tags/v0.20.1.knots20200815
5a15f9b4d1f3a8becaada22ec1b0c5cc0a72c6bd refs/tags/v0.21.0.knots20210130
21c9cbee37a9a45c98788370905f9fd79c8a336c refs/tags/v0.21.1.knots20210629
7fdd8dc33929b12d78217a1bf72ec30bf76502c6 refs/tags/v21.2.knots20210629
f54a650d541b185e4c399458856777d202370ce5 refs/tags/v22.0.knots20211108
eafbc9a2665d1117e6668640cbd16ea9171b6b4c refs/tags/v23.0.knots20220529

[luke-jr]

@Sjors @achow101 @glozow @sipa @hebasto Could any of you do some Guix builds/signatures of v23.0? (Be sure to verify the tags match what @laanwj posted above)

Thanks

[luke-jr]

(Ideally v21.2 also, if you still have gitian setup)

[achow101]

• 23.0: Add achow101 23.0.knots20220529 non-codesigned guix attestation guix.sigs#2
• 21.2: Add achow101 21.2.knots20210629 non-codesigned binary gitian sigs gitian.sigs#16

[Sjors]

Attempted at bitcoinknots/guix.sigs#4 bitcoinknots/guix.sigs#5

[Sjors]

Note: you can compare the list @laanwj provided to git show-ref --tags.

[hebasto]

For the v23.0.knots20220529 tag I have a top commit:

$ git rev-parse HEAD
a5eb5c7e3018049e7ca0d95387e3c21e99c131cd

It differs from the mentioned above:

eafbc9a2665d1117e6668640cbd16ea9171b6b4c refs/tags/v23.0.knots20220529

[laanwj]

For the v23.0.knots20220529 tag I have a top commit:
a5eb5c7e3018049e7ca0d95387e3c21e99c131cd

Yeah… that's correct. What I posted is the ids of the signed tags themselves (the output of @Sjors ' command), not the topmost commit on them.
Try git show eafbc9a2665d1117e6668640cbd16ea9171b6b4c and it will show the signed tag then the same commit.

[hebasto]

23.0: bitcoinknots/guix.sigs#6

[luke-jr]

Thanks, I republished v23.0.

Guess I'll have to ping some more people for v21.2: @Emzy @jonatack @sipsorcery do any of you have gitian still setup?

[Sjors]

I nuked my Gitian setup some time ago.

[Emzy]

I get an error at my Gitian build of v21.2. I will investigate tomorrow.

[luke-jr]

@Emzy figure it out?

[Emzy]

Sadly I gave up. I always get a "no space left on device" error. I'm using LXC.
There is for sure enough space on that machine. So the error is somehow misleading.

[luke-jr]

If LXC limits disk usage like KVM, maybe moving stuff out of the cache could help?

I guess the only ones I haven't tried pinging yet are @fanquake @guggero @kristapsk

[maflcko]

I nuked mine too, but the easiest to setup, if doing from scratch, would probably be docker?

[luke-jr]

I'm not sure. I know KVM is definitely not easy to setup (I basically had to install Ubuntu manually and then kill its auto-upgrade-at-boot stuff)

[kristapsk]

I could try gitian build, using Docker. Don't have it anymore, but it wasn't too hard to set up as far as I remember.

[guggero]

Sorry, I also nuked my gitian build environment. Can try to re-create it as well on the weekend if needed.

[luke-jr]

Well, right now there's only one build for v21.2; I don't know how @achow101 feels about being a single signer, but it would be ideal to get at least a couple more if possible. Thanks

[kristapsk]

Is there some official instructions how to do gitian builds for Knots? Previously for Core I was following gitian building guide by jonatack, but it doesn't work with Knots, there are hardcoded https://github.com/bitcoin/bitcoin.git in gitian-builder, for example. I could hack it manually, of course, but probably there is some other proper way?

[luke-jr]

There isn't any hardcoded URI in gitian-builder that I am aware of.

The command I use is something like:

bin/gbuild -m8000 -j2 --disksize 30 "bitcoin/contrib/gitian-descriptors/gitian-${platform}.yml" -u bitcoin="/path/to/local/gitrepo" -c bitcoin="v21.2.knots20210629"

[luke-jr]

Seems we stalled here. With @achow101's permission, I posted v21.2 with just his signature. It would still be nice if anyone is able to produce a second or more, though. :)

One thing to note: gitian doesn't make the SHA256SUMS file format, so if you do a build, please download the one @achow101 made, verify it matches yours, and also sign that file.

Thanks

[kristapsk]

Tried again, went through guide from scratch, but gbuild gives this error, it tries to fetch from bitcoin/bitcoin, not bitcoinknots/bitcoin.

$ bin/gbuild --num-make 1 --memory 2400 --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-linux.yml
fatal: couldn't find remote ref v21.2.knots20210629
bin/gbuild:23:in `system!': failed to run cd inputs/bitcoin && git fetch -f --update-head-ok https://github.com/bitcoin/bitcoin.git v21.2.knots20210629 (RuntimeError)
	from bin/gbuild:335:in `block in <main>'
	from bin/gbuild:315:in `each'
	from bin/gbuild:315:in `<main>'

$ cd ../bitcoin; git remote -v; cd - > /dev/null
origin	https://github.com/bitcoinknots/bitcoin (fetch)
origin	https://github.com/bitcoinknots/bitcoin (push)
$ echo $VERSION
21.2.knots20210629

[luke-jr]

@kristapsk Whenever using gitian, you should specify -u bitcoin="/path/to/local/gitrepo" so it doesn't try to fetch over the internet a second time