@@ -56,30 +56,22 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28
5656
5757## Deterministic macOS App Notes
5858
59- macOS Applications are created in Linux using a recent LLVM.
59+ macOS Applications are created on Linux using a recent LLVM.
6060
61- Apple uses ` clang ` extensively for development and has upstreamed the necessary
62- functionality so that a vanilla clang can take advantage. It supports the use of ` -F ` ,
63- ` -target ` , ` -mmacosx-version-min ` , and ` -isysroot ` , which are all necessary when
64- building for macOS.
61+ All builds must target an Apple SDK. These SDKs are free to download, but not redistributable.
62+ See the SDK Extraction notes above for how to obtain it.
6563
66- To complicate things further, all builds must target an Apple SDK. These SDKs are free to
67- download, but not redistributable. See the SDK Extraction notes above for how to obtain it .
64+ The Guix build process has been designed to avoid including the SDK's files in Guix's outputs.
65+ All interim tarballs are fully deterministic and may be freely redistributed .
6866
69- The Guix process builds 2 sets of files: Linux tools, then Apple binaries which are
70- created using these tools. The build process has been designed to avoid including the
71- SDK's files in Guix's outputs. All interim tarballs are fully deterministic and may be freely
72- redistributed.
73-
74- As of OS X 10.9 Mavericks, using an Apple-blessed key to sign binaries is a requirement in
75- order to satisfy the new Gatekeeper requirements. Because this private key cannot be
76- shared, we'll have to be a bit creative in order for the build process to remain somewhat
77- deterministic. Here's how it works:
67+ Using an Apple-blessed key to sign binaries is a requirement to produce (distributable) macOS
68+ binaries. Because this private key cannot be shared, we'll have to be a bit creative in order
69+ for the build process to remain somewhat deterministic. Here's how it works:
7870
7971- Builders use Guix to create an unsigned release. This outputs an unsigned ZIP which
80- users may choose to bless and run. It also outputs an unsigned app structure in the form
81- of a tarball.
72+ users may choose to bless, self-codesign, and run. It also outputs an unsigned app structure
73+ in the form of a tarball.
8274- The Apple keyholder uses this unsigned app to create a detached signature, using the
83- script that is also included there . Detached signatures are available from this [ repository] ( https://github.com/bitcoin-core/bitcoin-detached-sigs ) .
84- - Builders feed the unsigned app + detached signature back into Guix. It uses the
85- pre-built tools to recombine the pieces into a deterministic ZIP.
75+ included script . Detached signatures are available from this [ repository] ( https://github.com/bitcoin-core/bitcoin-detached-sigs ) .
76+ - Builders feed the unsigned app + detached signature back into Guix, which combines the
77+ pieces into a deterministic ZIP.
0 commit comments