Merge #6895: ci: merge bitcoin#24585, bitcoin#25549, bitcoin#26834, bitcoin#26773, bitcoin#30989, bitcoin#32498, bitcoin#32439, bitcoin#32678, bitcoin#33073, update channels, substitution servers, fix guix-check

18d9966 ci: make `guix-check` print out the set of hashes compared against (Kittywhiskers Van Gogh)
90f2581 ci: add mirrors to Bordeaux substitution server (Kittywhiskers Van Gogh)
0ae477b ci: add `berlin.guix.gnu.org` to substitute URLs list (Kittywhiskers Van Gogh)
4891135 ci: ensure that Codeberg is used as the `guix` channel (Kittywhiskers Van Gogh)
24b390d merge bitcoin#33073: warn SOURCE_DATE_EPOCH set in guix-codesign (Kittywhiskers Van Gogh)
f976956 merge bitcoin#32678: warn and abort when SOURCE_DATE_EPOCH is set (Kittywhiskers Van Gogh)
2e0b209 merge bitcoin#32439: accomodate migration to codeberg (Kittywhiskers Van Gogh)
a2d0e4a merge bitcoin#32498: remove Carls substitute server from Guix docs (Kittywhiskers Van Gogh)
2e0e44a merge bitcoin#30989: Drop no longer needed PATH modification (Kittywhiskers Van Gogh)
2d2f220 merge bitcoin#26773: FreeBSD build doc updates to reflect removal of install_db4.sh (Kittywhiskers Van Gogh)
12e04f5 merge bitcoin#26834: remove install_db4.sh (Kittywhiskers Van Gogh)
f3f2fd3 doc: update disclaimer in `build-netbsd.md` (Kittywhiskers Van Gogh)
2ca9984 merge bitcoin#24585: mention that BDB is for the legacy wallet in build-osx.md (Kittywhiskers Van Gogh)
080d4b2 docs: remove extra Berkeley DB fragment in `build-osx.md` (Kittywhiskers Van Gogh)

Pull request description:

  ## Motivation

  Annoyances from trying to build rc1 and rc2 using our Guix container ([source](https://github.com/dashpay/dash/blob/f170aed19ec399ea68ddf003a39e22be7c5d6e8e/contrib/containers/guix/Dockerfile)).

  ## Additional Information

  * Guix has migrated their service provider to Codeberg and have published a timeline for sunsetting the existing `git.savannah.gnu.org` channel ([blog](https://guix.gnu.org/en/blog/2025/migrating-to-codeberg/)). This requires updating our scripts and on the upstream side this was achieved with [bitcoin#32439](bitcoin#32439) but requires additional changes on our end as well.

    * As we rely on Ubuntu's distribution of Guix and staleness is a known problem (Debian no longer ships Guix with `trixie` and have flagged the `guix` package as subject to removal, [source](https://lwn.net/Articles/1035491/)), we need to set Codeberg as the channel source ourselves.

  * `install_db4.sh` was dropped via [bitcoin#26834](bitcoin#26834) as [bitcoin#26833](bitcoin#26833) was backported (see [dash#6735](#6735)) and the script points to the old  `git.savannah.gnu.org` for sources.

  * Due to our run-in with nondeterminism in rc1, this pull request also includes backports to deal with some other potential sources of nondeterminism. As we're updating sources, a documentation update removing a no longer available substitution source has also been backported.

  * Both official Guix substitution servers are located in Europe (i.e. France and Germany), which makes the time and bandwidth intensive fetch that is inherent with a container with no persistence painfully slow for those located quite away from Europe, so, alongside addition of the German substitution server (`berlin.guix.gnu.org`), mirrors have been added to cover North America (US East) and Asia-Pacific (Singapore).

    * The mirrors have been sourced from LibrePlanet ([source](https://libreplanet.org/wiki/Group:Guix/Mirrors)) and per their documentation, substitutes from mirrors are signed by the builder they are mirroring, not the mirror itself and as this PR only authorises Guix's official mirrors (see below), tampering risk should be mitigated.

       https://github.com/dashpay/dash/blob/1ca2db9402bcf7e7352f4ee722882893d94ed856/contrib/containers/guix/Dockerfile#L55-L57

  * Another annoyance, `guix-check` so far used an ad-hoc method of generating checksums that cannot be (trivially) diffed against the attested checksums provided at [`dashpay/guix.sigs`](https://github.com/dashpay/guix.sigs), by leveraging `guix-attest`'s ability to generate checksums even without a signer, we can produce the exact output an attestor would without needing to be one ([source](https://github.com/dashpay/dash/blob/f170aed19ec399ea68ddf003a39e22be7c5d6e8e/contrib/guix/guix-attest#L101-L104)).

  ## Breaking Changes

  None.

  ## Checklist

  - [x] I have performed a self-review of my own code
  - [x] I have commented my code, particularly in hard-to-understand areas
  - [x] I have added or updated relevant unit/integration/functional/e2e tests **(note: N/A)**
  - [x] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  UdjinM6:
    ACK 18d9966

Tree-SHA512: 9964b957aacd85b7e193c3019656ea70b8987031bb6ed6189c5933b24f47346fff01a4e37ac23314f802a2084e96a91443e309d5b7b83c79940a5d3202134be2

Author: PastaPastaPasta

Makefile.am

@@ -41,7 +41,6 @@ OSX_PLIST=$(top_builddir)/share/qt/Info.plist #not installed
 
 DIST_CONTRIB = \
            $(top_srcdir)/contrib/debian/copyright \
-           $(top_srcdir)/contrib/install_db4.sh \
            $(top_srcdir)/test/sanitizer_suppressions/lsan \
            $(top_srcdir)/test/sanitizer_suppressions/tsan \
            $(top_srcdir)/test/sanitizer_suppressions/ubsan \

contrib/containers/guix/Dockerfile

@@ -52,8 +52,9 @@ RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz
 
 RUN touch /etc/nsswitch.conf
 
-RUN guix archive --authorize < /usr/local/guix/current/share/guix/ci.guix.gnu.org.pub && \
-    guix archive --authorize < /usr/local/guix/current/share/guix/bordeaux.guix.gnu.org.pub
+RUN guix archive --authorize < /usr/local/guix/current/share/guix/berlin.guix.gnu.org.pub && \
+    guix archive --authorize < /usr/local/guix/current/share/guix/bordeaux.guix.gnu.org.pub && \
+    guix archive --authorize < /usr/local/guix/current/share/guix/ci.guix.gnu.org.pub
 
 # Build Environment Setup
 # https://guix.gnu.org/manual/en/html_node/Build-Environment-Setup.html
@@ -73,6 +74,9 @@ RUN groupmod -g ${GROUP_ID} ubuntu; \
     echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
 # Copy required files to container
+COPY --chown=${USER_ID}:${GROUP_ID} \
+     --chmod=u=rwX,go=rX \
+     --from=docker_root ./channels.scm         /home/ubuntu/.config/guix/channels.scm
 COPY --from=docker_root ./motd.txt             /etc/motd
 COPY --from=docker_root ./scripts/entrypoint   /usr/local/bin/entrypoint
 COPY --from=docker_root ./scripts/guix-check   /usr/local/bin/guix-check

contrib/containers/guix/channels.scm

@@ -0,0 +1,11 @@
+(list (channel
+        (name 'guix)
+        (url "https://codeberg.org/guix/guix")
+        (branch "master")
+        (commit
+          "56344729cd07c76d5133047f2866237bbb08dced")
+        (introduction
+          (make-channel-introduction
+            "9edb3f66fd807b096b48283debdcddccfea34bad"
+            (openpgp-fingerprint
+              "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5")))))

contrib/containers/guix/scripts/entrypoint

@@ -5,10 +5,21 @@ set -eo pipefail
 # Read instructions
 cat /etc/motd
 
+SERVERS=(
+  # Official substitution servers
+  https://berlin.guix.gnu.org
+  https://bordeaux.guix.gnu.org
+  https://ci.guix.gnu.org
+
+  # Mirrors of Bordeaux substitution server
+  https://bordeaux-singapore-mirror.cbaines.net
+  https://bordeaux-us-east-mirror.cbaines.net
+  https://hydra-guix-129.guix.gnu.org
+)
+
 # Start the Guix daemon
-sudo env PATH=${PATH} guix-daemon \
-  --build-users-group='guixbuild' \
-  --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org' < /dev/null 2>&1 |
+sudo env PATH=${PATH} \
+  guix-daemon --build-users-group='guixbuild' --substitute-urls="$(IFS=' '; echo "${SERVERS[*]}")" < /dev/null 2>&1 |
   sudo tee /var/log/guix.log > /dev/null &
 
 # Hand over control

contrib/containers/guix/scripts/guix-check

@@ -13,13 +13,9 @@ cd "$WORKSPACE_PATH"
 
 source "contrib/guix/libexec/prelude.bash"
 
-printf "\nBinaries:\n\n"
-( \
-SRC_PATH_PREFIX="${VERSION_BASE}/distsrc-" && \
-sha256sum ${SRC_PATH_PREFIX}*/src/dash{d,-cli,-tx,-wallet}{,.exe} && \
-sha256sum ${SRC_PATH_PREFIX}*/src/qt/dash-qt{,.exe} && \
-sha256sum ${SRC_PATH_PREFIX}*/src/test/test_dash{,.exe} \
-) | sort -k 2
-
-printf "\nArchives:\n\n"
-find "${OUTDIR_BASE}" -type f | grep -v SHA256 | xargs sha256sum | sort -k 2
+GUIX_SIGS_REPO="$(mktemp -d)"
+trap 'rm -rf -- "$GUIX_SIGS_REPO"' EXIT
+SIGNER=dummy
+env GUIX_SIGS_REPO="${GUIX_SIGS_REPO}" NO_SIGN=1 SIGNER=${SIGNER} ./contrib/guix/guix-attest
+SHASUM_LOC="${GUIX_SIGS_REPO}/${VERSION}/${SIGNER}"
+cat "${SHASUM_LOC}/all.sha256sums" 2>/dev/null || cat "${SHASUM_LOC}/noncodesigned.SHA256SUMS"

contrib/guix/INSTALL.md

@@ -319,7 +319,7 @@ Source: https://logs.guix.gnu.org/guix/2020-11-12.log#232527
 Start by cloning Guix:
 
 ```
-git clone https://git.savannah.gnu.org/git/guix.git
+git clone https://codeberg.org/guix/guix.git
 cd guix
 ```
 
@@ -607,7 +607,7 @@ checklist.
    ```
    Generation 38   Feb 22 2021 16:39:31    (current)
      guix f350df4
-       repository URL: https://git.savannah.gnu.org/git/guix.git
+       repository URL: https://codeberg.org/guix/guix.git
        branch: version-1.2.0
        commit: f350df405fbcd5b9e27e6b6aa500da7f101f41e7
    ```
@@ -760,8 +760,8 @@ Please see the following links for more details:
 
 - An upstream coreutils bug has been filed: [debbugs#47940](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47940)
 - A Guix bug detailing the underlying problem has been filed: [guix-issues#47935](https://issues.guix.gnu.org/47935), [guix-issues#49985](https://issues.guix.gnu.org/49985#5)
-- A commit to skip this test in Guix has been merged into the core-updates branch:
-[savannah/guix@6ba1058](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
+- A commit to skip this test is included since Guix 1.4.0:
+[codeberg/guix@6ba1058](https://codeberg.org/guix/guix/commit/6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
 
 
 [install-script]: #options-1-and-2-using-the-official-shell-installer-script-or-binary-tarball

contrib/guix/README.md

@@ -364,12 +364,6 @@ Where `<PREFIX>` is likely:
 - `/usr/local` if you installed Guix from source and didn't supply any
   prefix-modifying flags to Guix's `./configure`
 
-For dongcarl's substitute server at https://guix.carldong.io, run as root:
-
-```sh
-wget -qO- 'https://guix.carldong.io/signing-key.pub' | guix archive --authorize
-```
-
 #### Removing authorized keys
 
 To remove previously authorized keys, simply edit `/etc/guix/acl` and remove the
@@ -381,28 +375,28 @@ Once its key is authorized, the official Guix build farm at
 https://ci.guix.gnu.org is automatically used unless the `--no-substitutes` flag
 is supplied. This default list of substitute servers is overridable both on a
 `guix-daemon` level and when you invoke `guix` commands. See examples below for
-the various ways of adding dongcarl's substitute server after having [authorized
-his signing key](#step-1-authorize-the-signing-keys).
+the various ways of adding a substitute server after having [authorized
+its signing key](#step-1-authorize-the-signing-keys).
 
 Change the **default list** of substitute servers by starting `guix-daemon` with
 the `--substitute-urls` option (you will likely need to edit your init script):
 
 ```sh
-guix-daemon <cmd> --substitute-urls='https://guix.carldong.io https://ci.guix.gnu.org'
+guix-daemon <cmd> --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 Override the default list of substitute servers by passing the
 `--substitute-urls` option for invocations of `guix` commands:
 
 ```sh
-guix <cmd> --substitute-urls='https://guix.carldong.io https://ci.guix.gnu.org'
+guix <cmd> --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 For scripts under `./contrib/guix`, set the `SUBSTITUTE_URLS` environment
 variable:
 
 ```sh
-export SUBSTITUTE_URLS='https://guix.carldong.io https://ci.guix.gnu.org'
+export SUBSTITUTE_URLS='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 ## Option 2: Disabling substitutes on an ad-hoc basis

contrib/guix/guix-build

@@ -69,6 +69,12 @@ fi
 
 mkdir -p "$VERSION_BASE"
 
+################
+# SOURCE_DATE_EPOCH should not unintentionally be set
+################
+
+check_source_date_epoch
+
 ################
 # Build directories should not exist
 ################

contrib/guix/guix-codesign

@@ -67,6 +67,12 @@ EOF
 exit 1
 fi
 
+################
+# SOURCE_DATE_EPOCH should not unintentionally be set
+################
+
+check_source_date_epoch
+
 ################
 # The codesignature git worktree should not be dirty
 ################

contrib/guix/libexec/build.sh

@@ -238,8 +238,6 @@ case "$HOST" in
     *mingw*)  HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
 esac
 
-# Make $HOST-specific native binaries from depends available in $PATH
-export PATH="${BASEPREFIX}/${HOST}/native/bin:${PATH}"
 mkdir -p "$DISTSRC"
 (
     cd "$DISTSRC"