backport: v20.0.4 backports and release #5810
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Issue being fixed or feature implemented We had this in Gitian https://github.com/dashpay/dash/blob/master/contrib/gitian-descriptors/gitian-win.yml#L38. We also had it for macos https://github.com/dashpay/dash/blob/master/contrib/gitian-descriptors/gitian-osx.yml#L42 but it looks like it's no longer an issue there (or at least I did not see anyone complaining about it). ## What was done? tweak `CONFIGFLAGS` for `mingw` host ## How Has This Been Tested? n/a ## Breaking Changes n/a ## Checklist: - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_
…dashpay#5800) ## Issue being fixed or feature implemented Asset Unlock tx uses platform's quorum on devnets, testnet, mainnet, but still quorum type "Test (100)" on Reg Tests That's part II PR, prior work is here: dashpay#5618 ## What was done? - Removed `consensus.llmqTypeAssetLocks` which has been kept only for RegTest - use `consensus.llmqTypePlatform` instead. - Functional test `feature_asset_locks.py` uses `llmq_type_test = 106` instead `llmq_type_test = 100` for asset unlock tx - there's 4 MNs + 3 evo nodes instead 3 MNs as before: evo nodes requires to have IS to be active ## How Has This Been Tested? Run unit/functional tests ## Breaking Changes Asset Unlock tx uses correct quorum "106 llmq_test_platform" on reg test instead "100 llmq_test" ## Checklist: - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone
## Issue being fixed or feature implemented we should not vote on triggers from the past ## What was done? ## How Has This Been Tested? n/a ## Breaking Changes n/a ## Checklist: - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_
knst
requested review from
UdjinM6,
thephez and
PastaPastaPasta
and removed request for
UdjinM6
|
Guix Automation has began to build this PR tagged as v20.0.4-devpr5810.8bbace1d. A new comment will be made when the image is pushed. |
|
We merge this first into v20.x, not master |
thephez
reviewed
Jan 10, 2024
chore: update builder keys for pasta, udjin
|
Guix Automation has completed; a release should be present here: https://github.com/dashpay/dash-dev-branches/releases/tag/v20.0.4-devpr5810.8bbace1d. The image should be on dockerhub soon. |
|
Guix Automation has began to build this PR tagged as v20.0.4-devpr5810.2d54513e. A new comment will be made when the image is pushed. |
|
Guix Automation has completed; a release should be present here: https://github.com/dashpay/dash-dev-branches/releases/tag/v20.0.4-devpr5810.2d54513e. The image should be on dockerhub soon. |
…y#5811) ## What was done? drop version from README.md which is not really useful. And we will care about one less thing during each release ## Breaking Changes N/A ## Checklist: - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone
dashpay#5814) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ## Issue being fixed or feature implemented Implement a new code-singing certificate for windows. Previously we used a certificate issued by DigiCert, however that certificate recently expired. A renewed certificate would cost roughly $200/year at the cheapest CAs and $370/year with DigiCert. EV certificates are relatively novel types of certificates that start out with positive reputation, reducing smart screen popups for users. EV certificates start at $270/year. As a result we had (/have) 4 options: 1. Get a new code signing certificate from a trusted CA - - Pro: Certificate gains reputation over time in smart screen and binaries are signed - - Pro: Shows "Verified Publisher" and "Dash Core Group Inc" on install - - Con: Costs, feels manipulative to pay at least $600 simply for someone to sign a certificate 2. Get a new EV code signing certificate - - Pro: Certificate starts with good reputation and gains reputation over time - - Con: Even greater costs for a signature that says that we are from Dash Core Group 3. Continue signing with the expired certificate - - Con: This is, it has been discovered, a terrible idea and these binaries are treated worse than unsigned binaries 4. Deliver unsigned windows binaries - - Pro: Binary will gain reputation over time as users download it - - Pro: Easy, is what it says on the tin - - Con: Binaries are completely unsigned, could be tampering or corruption issues that go undetected - - Con: Will visibly state "Unknown Publisher" 5. Deliver self-signed windows binaries - - Pro: Binary will gain reputation over time as users download it - - Pro: *Possibility* that certificate will gain reputation over time as users download binaries signed by it. It may also be that only certificates issued by a CA will gain reputation over time. - - Pro: Binaries are still signed - - Pro: Users have the option to import certificate into keychain to remove "Unknown Publisher" - - Pro: In limited testing, install is sometimes is treated better than unsigned, otherwise is treated the same - - Con: may appear sketchy, as Root CA is not a trusted Root CA - - Con: will display "Unknown Publisher" to most users - - Con: greater potential uncertainty around future changes to treatment of self signing systems Based on the above discussion and testing, the best route currently is option 5; that is what this PR implements. In the future it may make sense to move towards a codesigning certificate issued by a trusted CA. The root certificate authority has the following information  with a sha256 fingerprint of `46 84 FF 27 11 D7 C8 C5 BB FA D1 55 41 B3 F0 43 77 97 AC 67 4C 32 19 AE B4 E7 15 11 1F BB 42 A0` The code signing certificate is issued by the root CA, has a common name of "Dash Core Windows Signing" and a sha256 fingerprint of `1A 09 54 6E D3 81 E9 FC AD 62 44 32 35 40 39 FF 5F A7 30 0E 5E 03 C4 E0 96 5A 62 AA 19 2B 79 EE`. This certificate is only authorized for the purpose of code signing. ## What was done? ## How Has This Been Tested? Multiple users installing binaries of type 1,3,4 and 5. ## Breaking Changes This new windows signing certificate should be documented in the release notes. ## Checklist: _Go over all the following points, and put an `x` in all the boxes that apply._ - - [x] I have performed a self-review of my own code - - [ ] I have commented my code, particularly in hard-to-understand areas - - [ ] I have added or updated relevant unit/integration/functional/e2e tests - - [ ] I have made corresponding changes to the documentation - - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKVkDYuyHioH9PCArUlJ77avoeYQFAmWfAbUACgkQUlJ77avo eYTSCBAAuDEoWABdonIMs/4RaYP+DGTULltRu9CHBAqYuksXrl/4iV0r17DPSWWW L/5vLNAUTI47Tsa7R45ZPb0hR8VPMBkvxTQipKBYK7vZpwefcR4VOprEBJJ0Bl3g ZHtAVjZbcANEIAW3SlaiOgWbxWGKfDyM7gN3aNfoidMFBefbcYKEttuAGCnktWRI Y3eLMGPCpxOVB0O1nLU+pzwixAWXOeVChiK31ecFfQrF3JmUc12yiFUI+OJTogg4 0G2GMIQYHiVwclj8hSWT/yZfjcyxXdLYqkmH4Nr5mye39hRI2aUQEkmkYOy8pjcB ykKLg8JpUg/zg6GSuS6mFJnd5NHq5iSBxSRHPfR8xij1xFpmdgAaNCw4/6j9PEXB l8cfuJ7hgX3yX09L4p2E4t7MYpM8igaenAIWAK37hmKs1WADBmaj/nf6ThKhjvzI 2GR0FOzm6Is36KYvdUQJDE0g70g31SvGy+qjlcK49MtX6BvecYt+dg8AaNZ5FIn7 d1kFI4NXM6JX2WdiHMenz5d+oFYRS/P1sXjQ1wtl9HSkiZQQkEBbgiWXfh+EXjpW fNc8cej2LLCNZlhVcpffF8UaINsMTZVQsEGWGInjSi5eCs/YNrqL8XDdC/8mmZCu cNvp0QBtQ+4lpbUSdhFUdgic0MRCsdeHuYIBfvPJN9tl8McbknA= =kL6E -----END PGP SIGNATURE-----
knst
force-pushed
the
v20.0.4_release
branch
2 times, most recently
from
78c0819 to
02f82fd
Compare
UdjinM6
reviewed
Jan 11, 2024
knst
force-pushed
the
v20.0.4_release
branch
2 times, most recently
from
836f366 to
281da59
Compare
PastaPastaPasta
previously approved these changes
Jan 11, 2024
thephez
approved these changes
Jan 11, 2024
PastaPastaPasta
approved these changes
Jan 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What was done?
Backports, release notes, version bump
Breaking Changes
N/A
Checklist: