bitcoin: 30.0 -> 30.1

[starius]

Updated guix.sigs to the latest commit when a signature for 30.1 was added.

Signer glozow has not signed release 30.1. I updated builderKeys to comment out glozow and added willcl-ark. Signers were sorted alphabetically.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[roconnor]

I don't know how I feel about adding a bunch of people to the signers list. If our policy is to just muck around with the signing keys for every release, then is checking signatures really providing us with value? Anyone can sign any software package with any key.

Anyhow, so long as achow101 is on the list, I won't oppose this. The process just seems kinda silly to me.

[starius]

@roconnor I collected the list of signers who signed all of 3 recent releases, so they are unlikely to change. If they change for a good reason, we can update the list.

There is a long list of signers in this PR for example: bitcoin-core/guix.sigs#2107 open "Details" in the description.
So I think it is also not a bad idea to have a long list in Nix as well?

They are not random folks, but developers of Bitcoin Core and their keys come from https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keys so I think it still makes sense to check their signatures. At least if many of them do not sign a release, this would deserve attention of Nix maintainers.

[roconnor]

I don't think looking at just the last 3 is releases is good enough. But anyhow, I'll defer to the other reviewers.

[prusnak]

who signed all of 3 recent releases

How does the list look if you take 3 recent MAJOR releases? (28.x, 29.x, 30.x)?

[roconnor]

For reference this is the listing from before: #425555 (comment)

[prusnak]

For reference this is the listing from before: #425555 (comment)

Yeah, lets keep those 5 and lets comment glozow in this PR.

[roconnor]

Of all the keys being proposed we might consider adding willcl-ark.gpg.

[starius]

Bitcoin Core release signers (from bitcoin-core/guix.sigs commit 8427342623f66a98e4b2503e5e15eb41485200d2):

• 28.0: 0xb10c, CoinForensics, Emzy, Sjors, TheCharlatan, achow101, fanquake, glozow, guggero, hebasto, jackielove4u, kvaciral, laanwj, m3dwards, pinheadmz, sipa, sipsorcery, svanstaa,
  theStack, willcl-ark
• 28.1: 0xb10c, CoinForensics, Emzy, Sjors, TheCharlatan, achow101, fanquake, glozow, guggero, hebasto, kvaciral, laanwj, m3dwards, pinheadmz, sipsorcery, theStack, willcl-ark
• 28.2: 0xb10c, Emzy, Sjors, TheCharlatan, achow101, fanquake, glozow, guggero, hebasto, ismaelsadeeq, laanwj, m3dwards, pinheadmz, sipsorcery, theStack, willcl-ark
• 28.3: Emzy, Sjors, achow101, benthecarman, fanquake, glozow, guggero, hebasto, laanwj, m3dwards, pinheadmz, sipsorcery, theStack, willcl-ark
• 29.0: 0xb10c, CoinForensics, Emzy, Sjors, TheCharlatan, achow101, fanquake, glozow, guggero, hebasto, kvaciral, laanwj, m3dwards, pinheadmz, sipsorcery, svanstaa, tapcrafter, theStack,
  willcl-ark
• 29.1: 0xb10c, Emzy, Sjors, TheCharlatan, achow101, benthecarman, fanquake, glozow, guggero, hebasto, laanwj, m3dwards, pinheadmz, sipsorcery, svanstaa, theStack, willcl-ark
• 29.2: Emzy, Sjors, TheCharlatan, achow101, benthecarman, fanquake, glozow, guggero, hebasto, laanwj, m3dwards, pinheadmz, sipa, sipsorcery, theStack, willcl-ark, yuvicc
• 30.0: 0xb10c, Emzy, Sjors, TheCharlatan, achow101, benthecarman, davidgumberg, fanquake, glozow, guggero, hebasto, ismaelsadeeq, jackielove4u, laanwj, m3dwards, marcofleon, pinheadmz,
  satsie, sipa, sipsorcery, theStack, vertiond, willcl-ark, yuvicc
• 30.1: 0xb10c, Emzy, Sjors, TheCharlatan, achow101, fanquake, guggero, hebasto, laanwj, m3dwards, marcofleon, pinheadmz, svanstaa, theStack, willcl-ark

The following people signed all of them:

• achow101
• Emzy
• fanquake
• guggero
• hebasto
• laanwj
• m3dwards
• pinheadmz
• Sjors
• theStack
• willcl-ark

The following people signed 28.0, 29.0, 30.0:

• 0xb10c
• Emzy
• Sjors
• TheCharlatan
• achow101
• fanquake
• glozow
• guggero
• hebasto
• laanwj
• m3dwards
• pinheadmz
• sipsorcery
• theStack
• willcl-ark

[starius]

@prusnak @roconnor I commented out glozov and added the signers who signed all of 29.*, 30.*, and 30.*:

• fanquake
• guggero
• m3dwards
• pinheadmz
• Sjors
• theStack
• willcl-ark

Each of them signed all of the releases 29.*, 30.*, and 30.*, so I think we can rely on them to keep signing future releases. What do you think?

[roconnor]

I don't think your list is correct. e.g. fanquake isn't among the signatures available in the file https://bitcoincore.org/bin/bitcoin-core-28.1/SHA256SUMS.asc.

(Edit: nor https://bitcoincore.org/bin/bitcoin-core-29.0/SHA256SUMS.asc)

[starius]

@roconnor You are right! I was looking at signatures stored in guix.sigs, while our Nix script uses SHA256SUMS.asc files.

The only two people whose signatures are present in SHA256SUMS.asc file of all of 28.x, 29.x and 30.x releases are:

• achow101
• Emzy

The only signer added is now willcl-ark. Plus pre-existing 5 signers, glozov commented out.

[prusnak]

Thanks @starius

Is this OK now @roconnor ?

[roconnor]

I checked the hash of SHA256SUMS.asc

[roconnor]

Based on Ava's recent mailing list post, we should roll this back.

[roconnor]

Seems all 30.x sources have been removed from bitcoincore.org.

[roconnor]

Can we purge the hydra binaries, if any?