How to build Groestlcoin Core with Guix

[jackielove4u]

The following were tested in Debian 10.2, some dependencies can be different in other distros.
If you have issues make sure:
     - HyperVM is enabled in bios (to enable 64bit in virtualbox)
     - Hyper V is uninstalled on Windows
     - Disable mcafee anti-virus, Malwarebytes and roquekiller
     - Disable sleep/hibernate mode on windows

Create a Debian VM as a building environment (it will be accessed via SSH) Follow the instructions at: https://github.com/Groestlcoin/docs/blob/master/gitian-building/gitian-building-create-vm-debian.md however use Debian 10.2 instead of Debian 8.
Also change memory to 10240MB and the File location and size: at least 80GB

(below as root) Note: When sudo asks for a password, enter the password for the user gitianuser not for root
ssh root@localhost -p 22222
sudo -s
sudo apt-get install git ruby apt-cacher-ng qemu-utils lxc python-cheetah parted kpartx bridge-utils make ubuntu-archive-keyring curl firewalld -y
echo '#!/bin/sh -e' > /etc/rc.local
echo 'brctl addbr br0' >> /etc/rc.local
echo 'ip addr add 10.0.3.1/24 broadcast 10.0.3.255 dev br0' >> /etc/rc.local
echo 'ip link set br0 up' >> /etc/rc.local
echo 'firewall-cmd --zone=trusted --add-interface=br0' >> /etc/rc.local
echo 'exit 0' >> /etc/rc.local
chmod +x /etc/rc.local

cd /tmp
wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
chmod +x guix-install.sh
./guix-install.sh
reboot

(below as gitianuser) Note: When sudo asks for a password, enter the password for the user gitianuser not for root
ssh gitianuser@localhost -p 22222
#Export your key (or export private key on Kleopatra):
gpg --export-secret-keys $ID > my-private-key.asc
# Copy the key to the VM. To copy the exported secret-keys you can use SFTP client on portnumber 22222
#To import the key, run:
gpg --import my-private-key.asc.
#Setup a passphrase for the secret key when asked
gpg --edit-key $ID
passwd #Enter existing passphrase then press enter twice and consider the warnings from the tool and its implications before proceeding.
quit

#Install osslsigncode to sign windows binaries
sudo apt-get -y install osslsigncode

#Export code signing certificate from PFX to PEM format without bag attributes
#And update https://github.com/Groestlcoin/groestlcoin/blob/master/contrib/windeploy/win-codesign.cert if needed
openssl pkcs12 -in groestlcoin_developers_llc.p12 -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > win-codesign.cert

#Export code signing private key from PFX to PEM format without bag attributes
openssl pkcs12 -in groestlcoin_developers_llc.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > groestlcoin_developers_llc.pem

#Install signapple
sudo apt-get install python3-setuptools python3-pip
git clone https://github.com/achow101/signapple/
cd signapple
sudo pip3 install -e .
sudo python3 setup.py install

#Replace SIGNER with your signing name
export SIGNER="jackielove4u"
# enter the branch name below.
export VERSION=27.0.0
# enter the version name below.
export FORCE_VERSION=27.0

git clone https://github.com/groestlcoin/guix.sigs.git
git clone https://github.com/groestlcoin/groestlcoin-detached-sigs.git
git clone https://github.com/groestlcoin/groestlcoin.git && cd groestlcoin
git checkout $VERSION

export GUIX_SIGS_REPO="/home/gitianuser/guix.sigs"
export DETACHED_SIGS_REPO="/home/gitianuser/groestlcoin-detached-sigs"

# Create input folder
mkdir -p depends/SDKs && cd depends/SDKs
#Fetch Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers.tar.gz
wget --no-check-certificate https://bitcoincore.org/depends-sources/sdks/Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers.tar.gz
#Extract tarball
tar -xaf Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers.tar.gz
#Return to build directory
cd ../..

sudo sysctl -w kernel.unprivileged_userns_clone=1

#This command will build Groestlcoin Core for all platforms. First time it will take 1 or 2 full days, after first run it will take couple of hours. Make sure to close Malwarebytes otherwise it will fail (Malwarebytes blocks bitcoin-core.org URL)
./contrib/guix/guix-build

#This command will attest Groestlcoin Core non-codesigned for all platforms.
./contrib/guix/guix-attest

#Update signapple with every guix build
cd signapple
git pull
sudo pip3 install -e .
sudo python3 setup.py install

#Sign osx binaries
#If new macOS codesigner has been appointed then: To use the code signing certificate with signapple, the Developer ID Application Certificate must be exported. The Developer ID Application Certificate should be accessible through the Keychain Access app.
#Find Developer ID Application Certificate, Control click (or right click) it, and choose the option to export the certificate. Export the certificate as core-installer.p12 (Personal Information Exchange file aka .p12 extension) and move it to the guix host.
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/x86_64-apple-darwin
tar xf groestlcoin-$FORCE_VERSION-x86_64-apple-darwin-unsigned.tar.gz
./detached-sig-create.sh "/home/gitianuser/core-installer.p12"
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/arm64-apple-darwin
tar xf groestlcoin-$FORCE_VERSION-arm64-apple-darwin-unsigned.tar.gz
./detached-sig-create.sh "/home/gitianuser/core-installer.p12"

#Sign windows binaries
# Make sure the p12 certificate has been converted to a pem file
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/x86_64-w64-mingw32
tar xf groestlcoin-$FORCE_VERSION-win64-unsigned.tar.gz
./detached-sig-create.sh -key "/home/gitianuser/groestlcoin_developers_llc.pem"

#Push signatures to groestlcoin-detached-sigs
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/x86_64-apple-darwin && tar xf signature-osx-x86_64.tar.gz
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/arm64-apple-darwin && tar xf signature-osx-arm64.tar.gz
cd ~/groestlcoin/guix-build-$FORCE_VERSION/output/x86_64-w64-mingw32 && tar xf signature-win.tar.gz
#create new branch on https://github.com/Groestlcoin/groestlcoin-detached-sigs/ with v$FORCE_VERSION naming
#push the extracted folder to https://github.com/Groestlcoin/groestlcoin-detached-sigs/ v$FORCE_VERSION branch
#tag it with v$FORCE_VERSION

#Sign binaries
cd $DETACHED_SIGS_REPO
git pull
git checkout $FORCE_VERSION
cd ~
cd groestlcoin
#For 23.0 and higher use:
export HOSTS="arm64-apple-darwin x86_64-apple-darwin x86_64-w64-mingw32"
./contrib/guix/guix-codesign

#This command will attest Groestlcoin Core codesigned for all platforms.
./contrib/guix/guix-attest

#Create SHA256SUMS and SHA256SUMS.asc and put them in the $FORCE_VERSION folder
cd ~/guix.sigs
mkdir /home/gitianuser/$FORCE_VERSION
#Combine the all.SHA256SUMS.asc file from all signers into SHA256SUMS.asc (only needed if there are more than 1 signers):
cat "$FORCE_VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc
cp "$FORCE_VERSION"/*/all.* /home/gitianuser/$FORCE_VERSION
cd /home/gitianuser/$FORCE_VERSION
mv all.SHA256SUMS SHA256SUMS
mv all.SHA256SUMS.asc SHA256SUMS.asc

#Create SHA256SUMS.ots
Drop the SHA256SUMS file on https://opentimestamps.org/

#Copy the release files to the $FORCE_VERSION folder
find ~/groestlcoin/guix-build-${FORCE_VERSION}/output/ -maxdepth 2 -type f -not -name "SHA256SUMS.part" -and -not -name "*debug*" -and -not -name "*sig*" -and -not -name "*volname*" -exec cp {} /home/gitianuser/$FORCE_VERSION \;

#Copy the release files, SHA256SUMS andSHA256SUMS.asc
#Alternatively you can use SFTP client like WINSCP and connect to localhost with portnumber 22222 and copy the created tarballs from  /home/gitianuser/$FORCE_VERSION
scp -P 22222 -r /home/gitianuser/$FORCE_VERSION [email protected]:~/Desktop/

#Cleaning intermediate work directories
./contrib/guix/guix-clean

# remove unused software from /gnu/store.
guix gc

commit new created folders on /home/gitianuser/guix.sigs/$FORCE_VERSION to https://github.com/Groestlcoin/guix.sigs