Merge dashpay#6382: backport: merge bitcoin#21089, bitcoin#27670, bit…

…coin#24031, bitcoin#26470, bitcoin#27296, bitcoin#27179, bitcoin#27813, bitcoin#27811, bitcoin#28069, bitcoin#28294, bitcoin#28324, bitcoin#28328, bitcoin#29987 (guix backports: part 4)

1edd121 merge bitcoin#29987: build with glibc 2.31 (Kittywhiskers Van Gogh)
0949825 revert: add exception for 32-bit ARM builds which need glibc 2.28 (Kittywhiskers Van Gogh)
0ac2531 merge bitcoin#28328: update time-machine (Kittywhiskers Van Gogh)
ef9c4bd merge bitcoin#28324: pre time-machine bump changes (Linux) (Kittywhiskers Van Gogh)
b45a127 merge bitcoin#28294: pre time-machine bump changes (Windows) (Kittywhiskers Van Gogh)
ed1f7fe merge bitcoin#28069: Remove librt usage from release binaries (Kittywhiskers Van Gogh)
5d51aa9 merge bitcoin#27811: Clean up manifest (Kittywhiskers Van Gogh)
d439e46 merge bitcoin#27813: Update `python-lief` package to 0.13.2 (Kittywhiskers Van Gogh)
70e6283 merge bitcoin#27179: use osslsigncode 2.5 (Kittywhiskers Van Gogh)
3799509 merge bitcoin#27296: import/sync python-lief (0.12.3) package definition from upstream (Kittywhiskers Van Gogh)
ac8bd5a refactor: move lief definitions to expected location (Kittywhiskers Van Gogh)
eb0ae08 merge bitcoin#26470: Clean up `libexec/build.sh` (Kittywhiskers Van Gogh)
d3d7a05 merge bitcoin#24031: don't compress macOS DMG (Kittywhiskers Van Gogh)
6a54603 merge bitcoin#27670: remove redundant glibc patches (Kittywhiskers Van Gogh)
0c988f0 merge bitcoin#21089: Add support for powerpc64{,le} (Kittywhiskers Van Gogh)
808d215 fix: set correct locale in guix ci container (UdjinM6)

Pull request description:

  ## Motivation

  In preparation for migrating to C++20 and bumping our minimum required compiler to ensure that we have access to greater portions of the C++20 spec, this pull request first of two pull requests aiming to upgrade our Guix setup to use GCC 12 (and GCC 11 for the macOS toolchain).

  Upgrades to the Clang toolchain for macOS and moving to GCC 12 for the macOS toolchain will be addressed in a separate pull request as the latter requires [bitcoin#21778](bitcoin#21778), which is well outside the scope of this PR.

  ## Additional Notes

  * Dependency for dashpay#6383

  * Newer versions of GCC will not behave as expected with `test-security-check.py` as the stack protector (listed as `Canary` in the test) now behaves as expected and no longer fails. This causes an error when running it as the test expects failure (see below). This isn't an issue upstream as they backported [bitcoin#29987](bitcoin#29987), which gets rid of those tests ([source](bitcoin@b5fc6d4#diff-52aa0cda44721f089e53b128cb1232a876006ef257b211655456b17dfb2ec712)).

    Therefore, we have backported that pull request as well.

    <details>

    <summary>Build failure:</summary>

    ```
    ======================================================================
    FAIL: test_ELF (__main__.TestSecurityChecks)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "/distsrc-base/distsrc-22.0.0-beta.1-70-g7907fab39c17-x86_64-linux-gnu/./contrib/devtools/test-security-check.py", line 61, in test_ELF
        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
    AssertionError: Tuples differ: (1, 'test1: failed PIE NX RELRO CONTROL_FLOW') != (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW')

    First differing element 1:
    'test1: failed PIE NX RELRO CONTROL_FLOW'
    'test1: failed PIE NX RELRO Canary CONTROL_FLOW'

    - (1, 'test1: failed PIE NX RELRO CONTROL_FLOW')
    + (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW')
    ?                                +++++++

    ----------------------------------------------------------------------
    Ran 1 test in 0.126s

    FAILED (failures=1)
    ```

    </details>

    * The backport has the effect of bumping the target glibc version to 2.31, which as the release notes say, cuts off support for RHEL 8 and Ubuntu 18.04 LTS (`bionic`) (i.e. our Guix binaries won't run on these distros anymore, users running those distros will have to compile it themselves).

    This shouldn't be a problem as full support for RHEL 8 ended May 31, 2024 ([source](https://access.redhat.com/support/policy/updates/errata#Life_Cycle_Dates)) and standard support for `bionic` ended April 2023 ([source](https://ubuntu.com/about/release-cycle)).

    **Dash Core will still work on Ubuntu 20.04 LTS (`focal`) as it ships with glibc 2.31 ([source](https://packages.ubuntu.com/focal/glibc-doc))**

  ## Breaking Changes

  None expected

  ## Checklist:

  - [x] I have performed a self-review of my own code
  - [x] I have commented my code, particularly in hard-to-understand areas **(note: N/A)**
  - [x] I have added or updated relevant unit/integration/functional/e2e tests
  - [x] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  UdjinM6:
    utACK 1edd121

Tree-SHA512: 194a35a72ede5fb5488cdc41eb15320df7a5fa1fb8815c7342dd15b3983efff417fb1a525fdf497a98ede91958d0a5ed18f3e5f0f27c5cbc5dc25eb58116dbd5

.gitignore

@@ -76,7 +76,6 @@ libconftest.dylib*
 *.log
 *.trs
 *.dmg
-*.iso
 
 *.json.h
 *.raw.h

Makefile.am

@@ -13,7 +13,7 @@ if ENABLE_MAN
 SUBDIRS += doc/man
 endif
 .PHONY: deploy FORCE
-.INTERMEDIATE: $(OSX_TEMP_ISO) $(COVERAGE_INFO)
+.INTERMEDIATE: $(COVERAGE_INFO)
 
 export PYTHONPATH
 
@@ -37,7 +37,6 @@ space := $(empty) $(empty)
 OSX_APP=Dash-Qt.app
 OSX_VOLNAME = $(subst $(space),-,$(PACKAGE_NAME))
 OSX_DMG = $(OSX_VOLNAME).dmg
-OSX_TEMP_ISO = $(OSX_DMG:.dmg=).temp.iso
 OSX_DEPLOY_SCRIPT=$(top_srcdir)/contrib/macdeploy/macdeployqtplus
 OSX_INSTALLER_ICONS=$(top_srcdir)/src/qt/res/icons/dash.icns
 OSX_PLIST=$(top_builddir)/share/qt/Info.plist #not installed
@@ -127,19 +126,15 @@ deploydir: $(OSX_DMG)
 else !BUILD_DARWIN
 APP_DIST_DIR=$(top_builddir)/dist
 
-$(OSX_TEMP_ISO): $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt
+$(OSX_DMG): deploydir
 	$(XORRISOFS) -D -l -V "$(OSX_VOLNAME)" -no-pad -r -dir-mode 0755 -o $@ $(APP_DIST_DIR) -- $(if $(SOURCE_DATE_EPOCH),-volume_date all_file_dates =$(SOURCE_DATE_EPOCH))
 
-$(OSX_DMG): $(OSX_TEMP_ISO)
-	$(DMG) dmg "$<" "$@"
-
 $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt: $(OSX_APP_BUILT) $(OSX_PACKAGING)
 	INSTALLNAMETOOL=$(INSTALLNAMETOOL) OTOOL=$(OTOOL) STRIP=$(STRIP) $(PYTHON) $(OSX_DEPLOY_SCRIPT) $(OSX_APP) $(OSX_VOLNAME) -translations-dir=$(QT_TRANSLATION_DIR)
 
 deploydir: $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt
 endif !BUILD_DARWIN
 
-appbundle: $(OSX_APP_BUILT)
 deploy: $(OSX_DMG)
 endif
 

configure.ac

@@ -846,7 +846,6 @@ case $host in
            AC_PATH_TOOL([INSTALLNAMETOOL], [install_name_tool], install_name_tool)
            AC_PATH_TOOL([OTOOL], [otool], otool)
            AC_PATH_PROGS([XORRISOFS], [xorrisofs], xorrisofs)
-           AC_PATH_PROGS([DMG], [dmg], dmg)
 
            dnl libtool will try to strip the static lib, which is a problem for
            dnl cross-builds because strip attempts to call a hard-coded ld,
@@ -960,8 +959,6 @@ if test x$ac_cv_sys_large_files != x &&
   CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
 fi
 
-AC_SEARCH_LIBS([clock_gettime],[rt])
-
 if test "x$enable_gprof" = xyes; then
     dnl -pg is incompatible with -pie. Since hardening and profiling together doesn't make sense,
     dnl we simply make them mutually exclusive here. Additionally, hardened toolchains may force

contrib/containers/ci/Dockerfile

@@ -76,7 +76,7 @@ RUN pip3 install \
     codespell==1.17.1 \
     flake8==3.8.3 \
     jinja2 \
-    lief==0.12.1 \
+    lief==0.13.2 \
     pyzmq \
     vulture==2.3 \
     mypy==0.781 \

contrib/containers/guix/Dockerfile

@@ -31,7 +31,7 @@ ENV PATH="/usr/local/bin:/usr/local/guix/current/bin:$PATH"
 # Application Setup
 # https://guix.gnu.org/manual/en/html_node/Application-Setup.html
 ENV GUIX_LOCPATH="/usr/local/guix/profile" \
-    LC_ALL="C"
+    LC_ALL="en_US.UTF-8"
 
 RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz          && \
     eval "guix_checksum=\${guix_checksum_$(uname -m)}"                           && \

contrib/devtools/security-check.py

@@ -113,7 +113,7 @@ def check_ELF_control_flow(binary) -> bool:
     main = binary.get_function_address('main')
     content = binary.get_content_from_virtual_address(main, 4, lief.Binary.VA_TYPES.AUTO)
 
-    if content == [243, 15, 30, 250]: # endbr64
+    if content.tolist() == [243, 15, 30, 250]: # endbr64
         return True
     return False
 
@@ -142,7 +142,7 @@ def check_PE_control_flow(binary) -> bool:
 
     content = binary.get_content_from_virtual_address(virtual_address, 4, lief.Binary.VA_TYPES.VA)
 
-    if content == [243, 15, 30, 250]: # endbr64
+    if content.tolist() == [243, 15, 30, 250]: # endbr64
         return True
     return False
 
@@ -190,7 +190,7 @@ def check_MACHO_control_flow(binary) -> bool:
     '''
     content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
 
-    if content == [243, 15, 30, 250]: # endbr64
+    if content.tolist() == [243, 15, 30, 250]: # endbr64
         return True
     return False
 

contrib/devtools/symbol-check.py

@@ -15,20 +15,20 @@
 
 import lief
 
-# Debian 11 (Bullseye) EOL: est. 2026 https://wiki.debian.org/LTS
+# Debian 11 (Bullseye) EOL: 2026. https://wiki.debian.org/LTS
 #
-# - libgcc version 10.2.1 (https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=libgcc-s1)
-# - libc version 2.31 (https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=libc6)
+# - libgcc version 10.2.1 (https://packages.debian.org/bullseye/libgcc-s1)
+# - libc version 2.31 (https://packages.debian.org/source/bullseye/glibc)
 #
 # Ubuntu 20.04 (Focal) EOL: 2030. https://wiki.ubuntu.com/ReleaseTeam
 #
-# - libgcc version 10.3.0 (https://packages.ubuntu.com/focal/libgcc1)
+# - libgcc version 10.5.0 (https://packages.ubuntu.com/focal/libgcc1)
 # - libc version 2.31 (https://packages.ubuntu.com/focal/libc6)
 #
-# CentOS Stream 9 EOL: est. 2027 https://www.centos.org/cl-vs-cs
+# CentOS Stream 9 EOL: 2027. https://www.centos.org/cl-vs-cs/#end-of-life
 #
-# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages)
-# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages)
+# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
+# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
 #
 # See https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html for more info.
 
@@ -101,7 +101,6 @@
 'libc.so.6', # C library
 'libpthread.so.0', # threading
 'libm.so.6', # math library
-'librt.so.1', # real-time (clock)
 'libatomic.so.1',
 'ld-linux-x86-64.so.2', # 64-bit dynamic linker
 'ld-linux.so.2', # 32-bit dynamic linker

contrib/devtools/test-security-check.py

@@ -58,32 +58,32 @@ def test_ELF(self):
         arch = get_arch(cc, source, executable)
 
         if arch == lief.ARCHITECTURES.X86:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE NX RELRO Canary CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE RELRO Canary CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE NX RELRO CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed PIE RELRO CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE RELRO CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed RELRO CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
                     (1, executable+': failed separate_code CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
                     (0, ''))
         else:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE NX RELRO Canary'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE RELRO Canary'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE NX RELRO'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE RELRO'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed PIE RELRO'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed RELRO'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
                     (1, executable+': failed separate_code'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (0, ''))
 
         clean_files(source, executable)

contrib/devtools/test-symbol-check.py

@@ -38,11 +38,6 @@ def test_ELF(self):
         executable = 'test1'
         cc = determine_wellknown_cmd('CC', 'gcc')
 
-        # there's no way to do this test for ARM at the moment; we build for
-        # ARM in a glibc 2.31 envinonment and we allow all symbols from 2.28.
-        if 'arm' in get_machine(cc):
-            self.skipTest("test not available for 32-bit ARM")
-
         # -lutil is part of the libc6 package so a safe bet that it's installed
         # it's also out of context enough that it's unlikely to ever become a real dependency
         source = 'test2.c'

contrib/guix/guix-build

@@ -74,7 +74,7 @@ mkdir -p "$VERSION_BASE"
 ################
 
 # Default to building for all supported HOSTs (overridable by environment)
-export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu
+export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu
                        x86_64-w64-mingw32
                        x86_64-apple-darwin arm64-apple-darwin}"
 

contrib/guix/libexec/build.sh

@@ -54,7 +54,8 @@ BASEPREFIX="${PWD}/depends"
 store_path() {
     grep --extended-regexp "/[^-]{32}-${1}-[^-]+${2:+-${2}}" "${GUIX_ENVIRONMENT}/manifest" \
         | head --lines=1 \
-        | sed --expression='s|^[[:space:]]*"||' \
+        | sed --expression='s|\x29*$||' \
+              --expression='s|^[[:space:]]*"||' \
               --expression='s|"[[:space:]]*$||'
 }
 
@@ -71,29 +72,12 @@ unset CPLUS_INCLUDE_PATH
 unset OBJC_INCLUDE_PATH
 unset OBJCPLUS_INCLUDE_PATH
 
-export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC}/lib64:${NATIVE_GCC_STATIC}/lib:${NATIVE_GCC_STATIC}/lib64"
+export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC_STATIC}/lib"
 export C_INCLUDE_PATH="${NATIVE_GCC}/include"
 export CPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
 export OBJC_INCLUDE_PATH="${NATIVE_GCC}/include"
 export OBJCPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
 
-prepend_to_search_env_var() {
-    export "${1}=${2}${!1:+:}${!1}"
-}
-
-case "$HOST" in
-    *darwin*)
-        # When targeting darwin, zlib is required by native_libdmg-hfsplus.
-        zlib_store_path=$(store_path "zlib")
-        zlib_static_store_path=$(store_path "zlib" static)
-
-        prepend_to_search_env_var LIBRARY_PATH "${zlib_static_store_path}/lib:${zlib_store_path}/lib"
-        prepend_to_search_env_var C_INCLUDE_PATH "${zlib_store_path}/include"
-        prepend_to_search_env_var CPLUS_INCLUDE_PATH "${zlib_store_path}/include"
-        prepend_to_search_env_var OBJC_INCLUDE_PATH "${zlib_store_path}/include"
-        prepend_to_search_env_var OBJCPLUS_INCLUDE_PATH "${zlib_store_path}/include"
-esac
-
 # Set environment variables to point the CROSS toolchain to the right
 # includes/libs for $HOST
 case "$HOST" in
@@ -326,8 +310,7 @@ mkdir -p "$DISTSRC"
             make deploydir ${V:+V=1}
             mkdir -p "unsigned-app-${HOST}"
             cp  --target-directory="unsigned-app-${HOST}" \
-                contrib/macdeploy/detached-sig-create.sh \
-                "${BASEPREFIX}/${HOST}"/native/bin/dmg
+                contrib/macdeploy/detached-sig-create.sh
             mv --target-directory="unsigned-app-${HOST}" dist
             (
                 cd "unsigned-app-${HOST}"

contrib/guix/libexec/codesign.sh

@@ -70,21 +70,19 @@ mkdir -p "$DISTSRC"
                 osslsigncode attach-signature \
                                  -in "$infile" \
                                  -out "${OUTDIR}/${infile_base/-unsigned}" \
+                                 -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
                                  -sigin codesignatures/win/"$infile_base".pem
             done
             ;;
         *darwin*)
             # Apply detached codesignatures to dist/ (in-place)
             signapple apply dist/Dash-Qt.app codesignatures/osx/dist
 
-            # Make an uncompressed DMG from dist/
+            # Make a DMG from dist/
             xorrisofs -D -l -V "$(< osx_volname)" -no-pad -r -dir-mode 0755 \
-                      -o uncompressed.dmg \
+                      -o "${OUTDIR}/${DISTNAME}-${HOST}.dmg" \
                       dist \
                       -- -volume_date all_file_dates ="$SOURCE_DATE_EPOCH"
-
-            # Compress uncompressed.dmg and output to OUTDIR
-            ./dmg dmg uncompressed.dmg "${OUTDIR}/${DISTNAME}-${HOST}.dmg"
             ;;
         *)
             exit 1

contrib/guix/libexec/prelude.bash

@@ -51,7 +51,7 @@ fi
 time-machine() {
     # shellcheck disable=SC2086
     guix time-machine --url=https://git.savannah.gnu.org/git/guix.git \
-                      --commit=998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 \
+                      --commit=160f78a4d92205df986ed9efcce7d3aac188cb24 \
                       --cores="$JOBS" \
                       --keep-failed \
                       --fallback \