Bug 1834731 - Review Request: bitcoin - Peer to Peer Cryptographic Currency
Summary: Review Request: bitcoin - Peer to Peer Cryptographic Currency
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1020292 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-12 10:09 UTC by Simone Caronni
Modified: 2020-08-05 09:46 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---


Attachments (Terms of Use)

Description Simone Caronni 2020-05-12 10:09:48 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.19.1-1.fc31.src.rpm
Description:
Bitcoin is a digital cryptographic currency that uses peer-to-peer technology to
operate with no central authority or banks; managing transactions and the
issuing of bitcoins is carried out collectively by the network.
Fedora Account System Username: slaanesh

Comment 1 Simone Caronni 2020-05-12 10:10:22 UTC
*** Bug 1020292 has been marked as a duplicate of this bug. ***

Comment 2 Simone Caronni 2020-05-12 10:15:55 UTC
SPEC file contains the necessary information to build on CentOS / RHEL 7 as well.

Comment 3 Oleg Girko 2020-05-13 20:59:27 UTC
I was packaging a Dash client for Fedora for quite some time. Dash was originally a fork of Bitcoin, and now it still synchronises its codebase with newer versions of Bitcoin. Hence, Dash is not different than Bitcoin from packaging point of view, only some file names and TCP port numbers are different.
You can take a look at spec and other files I use to build Dash here: https://obs.infoserver.lv/package/show/cryptocurrency/dash-core
If you find any ideas from this useful, feel free to use them. :-)

My spec file was originally based on spec file that was in Bitcoin source's contrib subdirectory (it was removed from there since then), but significantly evolved.

It has provisions for building with depends system, making deterministic build closer to the one used for binary distribution by vendor (but not exactly the same: still using compiler and some system libraries from Fedora). In order to be suitable for building in isolated environment without network connectivity, all sources needed for building are added as "SourceN:" directives in autogenerated section of spec file, and "update-sources.sh" script has to be run to update these sources every time you change the version number. This feature is not suitable for official Fedora package because it essentially bundles various libraries, so it's disabled by default.

Also, functional tests in "%check" section are run in parallel, and temporary directory is placed in "/var/tmp" for them, because "/tmp" is sometimes tmpfs in isolated build environment. and some tests require 8 gigabytes of space in tmpdir.

Comment 4 Simone Caronni 2020-05-14 07:02:50 UTC
Thanks I will look at it.

Comment 5 Eugene A. Pivnev 2020-06-07 11:37:38 UTC
Selinux* things must be optional.
If user set "selinux=disabled" than he can remove most of *selinux* rpms from host.
But your packages require to reinstall them again.

Summary good job, I use this for last month ok (f30 x32, f32 x64).

Comment 6 Robert-André Mauchin 🐧 2020-06-26 18:04:20 UTC
 - 
Source0:    http://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz

→

Source0:    http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz

 - Why does the core subpackage obsoletes the main package? Also for a rename the Obsolete part must be fixed, to the release above the last release of the obsoleted package.

%package core
Summary:    Peer to Peer Cryptographic Currency
Obsoletes:  %{name} < %{version}-%{release}
Provides:   %{name} = %{version}-%{release}

 - GZipping the man pages is handled by rpm, do not do it yourself:

gzip %{buildroot}%{_mandir}/man1/$i.1

 - This is only needed in EPEL7:

%post core
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :

%postun core
if [ $1 -eq 0 ] ; then
    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
    /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
fi

%posttrans core
/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :

 Please put it behind a condition.

 - Do not package libtool archive. Static library are generally not packaged, and, if really needed, must have their own static subpackage:

%{_libdir}/libbitcoinconsensus.a
%{_libdir}/libbitcoinconsensus.la

 
 - In order to avoid unintentional soname bump, we recommend not globbing the major SONAME version from shared library. Be more specific instead:

%{_libdir}/libbitcoinconsensus.so.*

 - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir}

 - /var/, %{_var} → use %{_localstatedir}

 - /run → %{_rundir}

 - I know nothing about SELinux, I need to find another reviewer for this

Comment 7 Robert-André Mauchin 🐧 2020-06-26 18:41:33 UTC
Also create a logrotate file for the log: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_logrotate_config_file

Comment 8 Simone Caronni 2020-06-30 09:40:18 UTC
Thanks for the feedback, updating the package now.

Comment 9 Simone Caronni 2020-06-30 10:23:21 UTC
(In reply to Robert-André Mauchin from comment #6)
> Source0:   
> http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.
> gz

Updated.

>  - Why does the core subpackage obsoletes the main package? Also for a
> rename the Obsolete part must be fixed, to the release above the last
> release of the obsoleted package.

Long old gone thing, removed the Obsoletes.

>  - GZipping the man pages is handled by rpm, do not do it yourself:
> 
> gzip %{buildroot}%{_mandir}/man1/$i.1

Missed it. Actually man pages are now installed automatically, so I removed the section entirely.

>  - This is only needed in EPEL7:
> 
> %post core
> /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
> 
> %postun core
> if [ $1 -eq 0 ] ; then
>     /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
>     /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
> fi
> 
> %posttrans core
> /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
> 
>  Please put it behind a condition.

Missed it, fixed.

>  - Do not package libtool archive. Static library are generally not
> packaged, and, if really needed, must have their own static subpackage:
> 
> %{_libdir}/libbitcoinconsensus.a
> %{_libdir}/libbitcoinconsensus.la

Disabled static library building and removed the local archive.

>  - In order to avoid unintentional soname bump, we recommend not globbing
> the major SONAME version from shared library. Be more specific instead:
> 
> %{_libdir}/libbitcoinconsensus.so.*

Fixed.

>  - /var/lib/, {_localstatedir}/lib → use %{_sharedstatedir}
>  - /var/, %{_var} → use %{_localstatedir}
>  - /run → %{_rundir}

Missed, all fixed.

>  - I know nothing about SELinux, I need to find another reviewer for this

I will not separate the selinux policies from the main package. Many packages in the distribution require SELinux (ex. FreeIPA). It's not something that should be disabled, pretty much like the firewall.


Testing now the above changes with 0.20, will post the updated src.rpm after all functional tests have run.

Comment 10 Simone Caronni 2020-06-30 10:41:57 UTC
(In reply to Robert-André Mauchin from comment #7)
> Also create a logrotate file for the log:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_logrotate_config_file

A couple of notes here:

- The log file after months of a running daemon is only 9.7 Mb, so I'm not sure there is really any benefit here.
- When enabling -debug on the daemon, the -shrinkdebugfile is automatically set to 1, so the log file is trimmed at startup.

So I see two options:

1. Add -shrinkdebugfile=1 to the systemd unit, so the log file is also trimmed when NOT starting in debug mode
2. Add -shrinkdebugfile=0 to the systemd unit so the log file is never trimmed even when debugging and then add the logrotate file.

I think solution 1 is better.

Comment 11 Simone Caronni 2020-06-30 10:58:23 UTC
In the meanwhile, before changing anything for the logging:

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-2.fc32.src.rpm

* Tue Jun 30 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-2
- Update Source0 URL.
- Do not obsolete "bitcoin", just leave the provider for it.
- Let the build install the man pages.
- Make sure old post scriptlets run only on RHEL/CentOS 7.
- Do not install static library and archive.
- Be explicit with share object versions.
- Use macros for more directories.
- Use GCC 9 and not 7 to build on RHEL/CentOS 7.

Comment 12 Robert-André Mauchin 🐧 2020-06-30 11:27:15 UTC
 - Could you follow the rules specified at https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the %pre/%post macros documented there?

 - See the post by DWalsh on the -devel ML: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/

Comment 13 Simone Caronni 2020-06-30 14:06:06 UTC
(In reply to Robert-André Mauchin from comment #12)
>  - Could you follow the rules specified at
> https://fedoraproject.org/wiki/SELinux/IndependentPolicy and use the
> %pre/%post macros documented there?
> 
>  - See the post by DWalsh on the -devel ML:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/
> message/GK3KPEDHX5NLDW32X7RIAP2IVEYHIAX3/

Ah, I was not aware of it. I will check, thanks!

Comment 14 Vit Mojzis 2020-06-30 14:21:38 UTC
The Independent policy guide (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all you need in terms of packaging the policy.
As for the policy itself, please try to follow https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC denials are logged, but not enforced) and should therefore only be used for debugging/testing.

Comment 15 Simone Caronni 2020-06-30 14:44:10 UTC
(In reply to Vit  Mojzis from comment #14)
> The Independent policy guide
> (https://fedoraproject.org/wiki/SELinux/IndependentPolicy) should cover all
> you need in terms of packaging the policy.
> As for the policy itself, please try to follow
> https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide. Also, using
> "permissive bitcoin_t;" disables the SELinux confinement on the domain (AVC
> denials are logged, but not enforced) and should therefore only be used for
> debugging/testing.

Ok, thanks for the info!

Comment 16 Eugene A. Pivnev 2020-06-30 16:18:17 UTC
(In reply to Simone Caronni from comment #10)
> (In reply to Robert-André Mauchin from comment #7)
> > Also create a logrotate file for the log:
> > https://docs.fedoraproject.org/en-US/packaging-guidelines/
> > #_logrotate_config_file
> 
> A couple of notes here:
> 
> - The log file after months of a running daemon is only 9.7 Mb, so I'm not
> sure there is really any benefit here.

I think it is not matter how big is log file.
Let user to decide switch it off on demand.

Comment 17 marco 2020-06-30 18:56:11 UTC
Some questions.

* In the spec file, what exactly is `Source4` used for?

* Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core` like in other package managers. E.g. https://snapcraft.io/bitcoin-core or https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt

* Is the package going to be made available in CentOS? If yes, on what schedule is CentOS/RHEL going to update the package? Is there a chance that EOL version are offered in the package manager? See https://bitcoincore.org/en/lifecycle/

Comment 18 Eugene A. Pivnev 2020-06-30 19:51:12 UTC
(In reply to marco from comment #17)
> * Why is the Bitcoin Core package called `bitcoin` and not `bitcoin-core`
> like in other package managers. E.g. https://snapcraft.io/bitcoin-core or
> https://flathub.org/apps/details/org.bitcoincore.bitcoin-qt

I can try to answer this.
* "bitcoin-core" includes bitcoind (bitcoin-server, but it is "client" of bitcoin network), bitcoin-utils (pure "client" as client) and bitcoin-qt ("server" as client + partially "client" as client all-in-one :-)
* all of them are absolutely indepent from each another on runtime.
So, this "-core" is not "core" and not includes runtime core (and this is big problem - it's impossible to select "-lib" from these tonns of code).
And as for me I think current packaging (bitcoin => -server + -utils + -qt) is very logical.
PS. in addition some of docs say "..then run bitcoin-core (they mean bitcoin-qt binary) and..."

Comment 19 Simone Caronni 2020-07-01 07:17:33 UTC
(In reply to Eugene A. Pivnev from comment #16)
> (In reply to Simone Caronni from comment #10)
> > (In reply to Robert-André Mauchin from comment #7)
> > > Also create a logrotate file for the log:
> > > https://docs.fedoraproject.org/en-US/packaging-guidelines/
> > > #_logrotate_config_file
> > 
> > A couple of notes here:
> > 
> > - The log file after months of a running daemon is only 9.7 Mb, so I'm not
> > sure there is really any benefit here.
> 
> I think it is not matter how big is log file.
> Let user to decide switch it off on demand.

Exactly, but -shrinkdebugfile set to 1 automatically when in debug mode, the user will get truncated logs at restart. So in my opinion is better to disable the default shrinkdebugfile when turning on debug if we want to use logrotate.

Comment 20 Simone Caronni 2020-07-01 07:24:27 UTC
(In reply to marco from comment #17)
> * In the spec file, what exactly is `Source4` used for?

Contains some things related to packaging (icon, desktop menu, etc.). I might remove it entirely at some point.
It's unpacked in the %autosetup macro:

%autosetup -a 4 -p1

> * Is the package going to be made available in CentOS? If yes, on what
> schedule is CentOS/RHEL going to update the package? Is there a chance that
> EOL version are offered in the package manager? See
> https://bitcoincore.org/en/lifecycle/

I'm planning to build it also on CentOS/RHEL 7+ (stuff is already in the spec file).
I just plan to build the latest version. Maintaining minor releases of previous version in EPEL might be an option (ex. 0.20.1 in EPEL when 0.21 gets released in Fedora), but I don't really see the point honestly. Might be that at one point due to dependencies it's not possible to build the latest for EPEL, so in that case a maintained old release or bundling of some libraries could be an option.

Regarding EOL releases, no, no plan to keep EOL releases alive.

Comment 21 Daniel Walsh 2020-07-01 18:33:43 UTC
Don't think you have to build multiple different SELinux policies, one should work on all variants.

Comment 22 Björn Persson 2020-07-06 14:29:30 UTC
Cryptocurrency wallets are very juicy targets for criminals, so it's paramount that you do everything you can to prevent and detect attempts to inject malware into the package.

First, never use insecure HTTP if HTTPS is available.

Second, verify upstream's signature before unpacking the tarball. Unfortunately they sign it in an indirect way that our handy verifier script doesn't expect. That makes the verification code a bit tricky, so I have written it for you.

These are the changes you need to make:

--- bitcoin.spec.old	2020-06-30 12:57:18.000000000 +0200
+++ bitcoin.spec	2020-07-06 15:48:51.656323998 +0200
@@ -7,9 +7,9 @@
 Release:    2%{?dist}
 Summary:    Peer to Peer Cryptographic Currency
 License:    MIT
-URL:        http://bitcoin.org/
+URL:        https://bitcoin.org/
 
-Source0:    http://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source0:    https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:    %{name}-tmpfiles.conf
 Source2:    %{name}.sysconfig
 Source3:    %{name}.service
@@ -20,12 +20,16 @@
 Source8:    README.server.redhat
 Source9:    README.utils.redhat
 Source10:   README.gui.redhat
+Source11:   https://bitcoin.org/bin/bitcoin-core-%{version}/SHA256SUMS.asc
+Source12:   https://bitcoin.org/laanwj-releases.asc
 
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  boost-devel
 BuildRequires:  checkpolicy
 BuildRequires:  desktop-file-utils
+BuildRequires:  gnupg2
+BuildRequires:  grep
 BuildRequires:  java
 BuildRequires:  libdb4-cxx-devel
 BuildRequires:  libevent-devel
@@ -76,7 +80,7 @@
 may be used by third party software to provide consensus verification
 functionality.
 
-Unless you know need this package, you probably do not.
+Unless you know you need this package, you probably do not.
 
 %package devel
 Summary:    Peer-to-peer digital currency
@@ -126,6 +130,15 @@
 need this package.
 
 %prep
+gpgworkdir="$(mktemp --directory)"
+# Decode the ASCII armor on the keyring.
+gpg2 --homedir="${gpgworkdir}" --yes --output="${gpgworkdir}/keyring.gpg" --dearmor '%{SOURCE12}'
+# Verify the signature on the checksums file using the decoded keyring.
+gpgv2 --homedir="${gpgworkdir}" --keyring="${gpgworkdir}/keyring.gpg" '%{SOURCE11}'
+# Verify the tarball using the checksums file minus the signature.
+( cd '%{_sourcedir}' && grep bitcoin '%{SOURCE11}' | sha256sum --check --ignore-missing - )
+rm --recursive --force ${gpgworkdir}
+
 %autosetup -a 4 -p1
 mv packaging-*/debian/* contrib/debian/

Comment 23 marco 2020-07-08 12:42:25 UTC
If you fetch the key from the same website the binaries are taken from, there is no security. Anyone replacing the binaries can trivially replace the key.

Also, bitcoincore.org is the official download site (bitcoin.org is a mirror site unrelated to the Bitcoin Core project). So I recommend to use the steps to verify from their download page: https://bitcoincore.org/en/download/

The instructions recommend to fetch the key based on its fingerprint (01EA5486DE18A882D4C2684590C8019E36C2E964).

Comment 24 Björn Persson 2020-07-08 17:59:33 UTC
(In reply to marco from comment #23)
> If you fetch the key from the same website the binaries are taken from,
> there is no security. Anyone replacing the binaries can trivially replace
> the key.

That would be true if the upstream project would generate a new key for every release, and also wouldn't sign their keys.

When a new release is signed with the same key that the developers have been using for years, then that increases our confidence that it is from the same source as all the previous releases. When a key needs replacing, then the project can maintain continuity by signing the new key with the old key. We packagers must be very careful when a release-signing key changes, and not blindly replace the key like we replace a tarball.

In this particular case you're also off the mark because my patched spec *doesn't* fetch the key from the same website as the binaries. To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org). If that's reliable, then we can improve security by fetching the tarball from Github and the signed checksum file from bitcoin.org or bitcoincore.org, and verifying them with the key we already have. An attacker will then have to acquire the secret key and compromise *both* websites before they can sneak malicious changes past the verification step.

> Also, bitcoincore.org is the official download site (bitcoin.org is a mirror
> site unrelated to the Bitcoin Core project).

In that case the URL field in the package should also point to https://bitcoincore.org/en/about/.

> The instructions recommend to fetch the key based on its fingerprint
> (01EA5486DE18A882D4C2684590C8019E36C2E964).

Hmm, they refer to keyserver.ubuntu.com, which runs Hockeypuck. I don't see any statement that Hockeypuck has a solution to the spam attack (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) that led to keys.fedoraproject.org being turned off (https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/COEYWJBQDAWRSYNQW7Y7TD2EKEGBWOAY/) in February this year. If it doesn't then you expose yourself to a denial of service when you fetch from the keyserver.

In case somebody thinks that fetching a key from a keyserver is more secure than fetching it from the project's website: It's not, because anyone can write somebody else's name on a key and upload it to a keyserver. Only the fingerprint ensures that you get the right key, and someone who can replace files on the project's website can replace the fingerprint too.

Comment 25 marco 2020-07-08 18:49:38 UTC
> packagers must be very careful when a release-signing key changes

Source12 simply downloads the key from https://bitcoin.org/laanwj-releases.asc without checking the hash or fingerprint, so there is no way to detect changes. What am I missing?

> To my slight surprise I found that the tarball from Github is identical to the one on bitcoin.org (and on bitcoincore.org)

I think this is only a coincidence for the 0.20.0 release. All other releases should not match, which is why I assumed the download sources are identical.

> I don't see any statement that Hockeypuck has a solution to the spam attack

Good point, personally I can recommend https://keys.openpgp.org/vks/v1/by-fingerprint/01EA5486DE18A882D4C2684590C8019E36C2E964, which claim to be resistant to those attacks ( https://keys.openpgp.org/about/faq#sks-pool )

Not sure, but keyserver.ubuntu.com might have solved the attack by disabling key updates, which could lead to problems should the key ever be revoked.

Though generally, as long as the fingerprint matches, it should be possible to download the key from any source with reliable uptime.

Comment 26 Björn Persson 2020-07-08 20:29:23 UTC
(In reply to marco from comment #25)
> Source12 simply downloads the key from
> https://bitcoin.org/laanwj-releases.asc without checking the hash or
> fingerprint, so there is no way to detect changes. What am I missing?

You're missing the fact that RPMbuild doesn't download anything and the Koji builders are isolated from Internet access. All sources and patches are taken from the Fedora Project's Git repository and lookaside cache, and change only when a package maintainer uploads a new file. Our source file verification policy says that the keyring shall be committed to Git:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification

The URL is there to document where the keyring came from, so that anyone can download it and verify that it's identical to the one in Git.

Comment 27 Oleg Girko 2020-07-08 20:38:35 UTC
(In reply to Björn Persson from comment #26)
> (In reply to marco from comment #25)
> > Source12 simply downloads the key from
> > https://bitcoin.org/laanwj-releases.asc without checking the hash or
> > fingerprint, so there is no way to detect changes. What am I missing?
> 
> You're missing the fact that RPMbuild doesn't download anything and the Koji
> builders are isolated from Internet access. All sources and patches are
> taken from the Fedora Project's Git repository and lookaside cache, and
> change only when a package maintainer uploads a new file. Our source file
> verification policy says that the keyring shall be committed to Git:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_source_file_verification
> 
> The URL is there to document where the keyring came from, so that anyone can
> download it and verify that it's identical to the one in Git.

This looks too dependent on Fedora infrastructure.
What about those who want to re-build the package from the spec file on their computer (and download all necessary sources using spectool)?
What about those who want to re-build the package using OBS and download_files source service?
I think, the main PGP public key's checksum should be embedded into spec file and checked against to make sure all re-downloaded sources are correct.

Comment 28 Björn Persson 2020-07-10 15:54:08 UTC
(In reply to Oleg Girko from comment #27)
> What about those who want to re-build the package from the spec file

I would recommend rebuilding from the source RPM package. Rebuilding from only a spec isn't possible in the general case. Many packages have patches, and sometimes there is no working URL to a source. Those will be missing if you try to rebuild from only the spec.

> I think, the main PGP public key's checksum should be embedded into spec
> file and checked against to make sure all re-downloaded sources are correct.

That wouldn't hurt. You would want a GnuPG command – or a series of commands – to verify that the given keyring contains a key with the given fingerprint, and also that it doesn't contain any other keys. Can you propose such a command? Don't forget to ensure that GnuPG will look only in the specified keyring even if the user has a default keyring.

Comment 29 Oleg Girko 2020-07-10 16:56:25 UTC
(In reply to Björn Persson from comment #28)
> (In reply to Oleg Girko from comment #27)
> > I think, the main PGP public key's checksum should be embedded into spec
> > file and checked against to make sure all re-downloaded sources are correct.
> 
> That wouldn't hurt. You would want a GnuPG command – or a series of commands
> – to verify that the given keyring contains a key with the given
> fingerprint, and also that it doesn't contain any other keys. Can you
> propose such a command? Don't forget to ensure that GnuPG will look only in
> the specified keyring even if the user has a default keyring.

Something like this in %prep section:

    echo 123456789abcdef... %{SOURCE12} | sha256sum -c

Comment 30 Simone Caronni 2020-07-18 07:56:26 UTC
Thanks, I've added signature verification which is a bit from all comments above.
The packaging guidelines are pretty clear about signatures, so:

- Key is downloaded from the keyserver (as also suggested by upstream) and instructions are in the SPEC file.
- Key is added to the Fedora SCM (aka it's in git).
- Detached signed checksum is in the lookaside cache (aka it's in the sources file).
- Since /usr/lib/rpm/redhat/gpgverify (aka %gpgverify) does not support signed sums files I've replaced it with gpgv2/sha256sum commands.

I will also add the SHA256UM.asc file in the .gitignore file once approved so there is no chance that the hashed checksum gets into SCM and can only go into the lookaside cache.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-3.fc32.src.rpm

* Sat Jul 18 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-3
- Add signature verification.
- Trim changelog.
- Fix typo in the libs description.

I will start working on the SELinux part hopefully soon (terribly busy in real life).

Comment 31 Simone Caronni 2020-07-19 18:01:24 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-4.fc32.src.rpm

* Sun Jul 19 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-4
- Fix tests on RHEL/CentOS 7.

Comment 32 Björn Persson 2020-07-19 19:55:48 UTC
Thank you for adding the signature verification, but you're still using HTTP instead of HTTPS in URL and Source20 for no reason I can see.

Comment 33 Simone Caronni 2020-07-21 17:48:40 UTC
(In reply to Björn Persson from comment #32)
> Thank you for adding the signature verification, but you're still using HTTP
> instead of HTTPS in URL and Source20 for no reason I can see.

Just forgot it to change it in %url which get expanded in the Source20 line.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-5.fc32.src.rpm

More cleanups:

* Tue Jul 21 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-5
- Use HTTPS for url tag.
- Reorganize sources. Add cleaned files from the packaging repository directly;
  bash completion snippets are now supported in the main sources.
- Move check section after install and include desktop file validating in
  there.

Room for improvements:
- Check hardening measures for the systemd unit (differences between the various distributions).
  Ex.: https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service#L53-L74
- Rework SELinux policy
- Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31

Comment 34 Simone Caronni 2020-07-21 17:49:13 UTC
I'll be away from the 25th of July for holidays until the 17th of August.

Comment 35 Simone Caronni 2020-07-21 20:01:32 UTC
Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-6.fc32.src.rpm

* Tue Jul 21 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-6
- Update systemd unit.
- Update configuration options.
- Declared bundled libraries/forks.

Room for improvements:
- Rework SELinux policy
- Check about bundling libdb4 (deprecated everywhere in Fedora, not available in EPEL), upstream accepts any libdb versions for building but wallets are not compatible across different libdb versions and need to be converted. Debian builds with the latest libdb: https://salsa.debian.org/cryptocoin-team/bitcoin/-/blob/master/debian/rules#L31

I've run out of procrastination items for the SELinux policy :D

Comment 36 Simone Caronni 2020-07-23 04:51:37 UTC
I've tested with a few wallets and everything is fine, no conversion needed.

Spec URL: https://slaanesh.fedorapeople.org/bitcoin.spec
SRPM URL: https://slaanesh.fedorapeople.org/bitcoin-0.20.0-7.fc32.src.rpm

* Wed Jul 22 2020 Simone Caronni <negativo17@gmail.com> - 0.20.0-7
- Use libdb 5.x instead of deprecated 4.x. Fixes build on RHEL/CentOS 8.

Room for improvements:
- Rework SELinux policy

Comment 37 marco 2020-08-05 09:46:48 UTC
> BuildRequires:  openssl-devel
> BuildRequires:  protobuf-devel

I believe neither of them are needed at all


Note You need to log in before you can comment on or make changes to this bug.