Bitcoin 31.0

Due to laanwj's general delay in posting signatures these days, and in the
spirit of the signatures being posted with users allowed to choose who to trust
and to what thresholds, Serai now relies on a 2-of-3 scheme where:
- If the signatures are present, they must be valid
- At least two out of three acknowledged signers must be present
- The acknowledged signers are laanwj, fanquake, and achow101

For the new fingerprints, I derived them myself from the keys present in the
repository. I did find reference to fanquake's fingerprint in the example text
for verifying a download of Bitcoin, so that should be correct. For achow101, I
was able to find a Keybase proof stating the same fingerprint, and accordingly
should also be correct.

Also updated is the Foundry CI action and MacPorts (trivial).

Author: kayabaNerve

.github/actions/bitcoin/action.yml

@@ -5,7 +5,7 @@ inputs:
   version:
     description: "Version to download and run"
     required: false
-    default: "30.2"
+    default: "31.0"
 
 runs:
   using: "composite"

.github/actions/test-dependencies/action.yml

@@ -10,7 +10,7 @@ inputs:
   bitcoin-version:
     description: "Bitcoin version to download and run as a regtest node"
     required: false
-    default: "30.2"
+    default: "31.0"
 
 runs:
   using: "composite"
@@ -19,7 +19,7 @@ runs:
       uses: ./.github/actions/build-dependencies
 
     - name: Install Foundry
-      uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # 1.7.0
+      uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d # 1.8.0
       with:
         version: v1.5.1
         cache: false

.github/workflows/stack-size.yml

@@ -74,9 +74,9 @@ jobs:
             # macOS also has the benefit of packaging (via MacPorts) `mrsh`,
             # which explicitly attempts to be be exactly POSIX, without any extensions.
             # We first have to install MacPorts, the easiest method being from source.
-            curl -O https://distfiles.macports.org/MacPorts/MacPorts-2.12.4.tar.bz2
-            tar xf MacPorts-2.12.4.tar.bz2
-            cd MacPorts-2.12.4
+            curl -O https://distfiles.macports.org/MacPorts/MacPorts-2.12.5.tar.bz2
+            tar xf MacPorts-2.12.5.tar.bz2
+            cd MacPorts-2.12.5
             ./configure
             make
             sudo make install

orchestration/src/networks/bitcoin.rs

@@ -1,17 +1,15 @@
+use core::fmt::Write as _;
 use std::path::Path;
 
 use crate::{Network, Os, mimalloc, os, write_dockerfile};
 
 pub fn bitcoin(orchestration_path: &Path, network: Network) {
-  const VERSION: &str = "30.2";
+  const VERSION: &str = "31.0";
   let file = format!("bitcoin-{VERSION}-$(uname -m)-linux-gnu.tar.gz");
   let url = format!("https://bitcoincore.org/bin/bitcoin-core-{VERSION}");
 
-  // laanwj
-  const FINGERPRINT: &str = "71A3B16735405025D447E8F274810B012346C9A6";
-
   #[rustfmt::skip]
-  let download_bitcoin = format!(r#"
+  let mut download_bitcoin = format!(r#"
 FROM alpine:latest AS download
 
 RUN apk --no-cache add git
@@ -23,49 +21,126 @@ RUN wget {url}/{file}
 RUN tar -xf "{file}"
 RUN mv $(find . -name bitcoind) .
 
-# Download the hashes, signature from laanwj
+# Download the hashes, signatures
 RUN git clone --depth 1 https://github.com/bitcoin-core/guix.sigs
-RUN cp guix.sigs/{VERSION}/laanwj/all.SHA256SUMS SHA256SUMS
-RUN cp guix.sigs/{VERSION}/laanwj/all.SHA256SUMS.asc SHA256SUMS.asc
+"#);
 
+  let mut run_bitcoin_first = String::new();
+  let mut run_bitcoin_second = r#"
+RUN <<'EOF'
+  set -eux
+  COUNT=0
+"#
+  .to_owned();
+
+  let signers = [
+    ("laanwj", "71A3B16735405025D447E8F274810B012346C9A6"),
+    ("fanquake", "E777299FC265DD04793070EB944D35F9AC3DB76A"),
+    ("achow101", "152812300785C96444D3334D17565732E08E5E41"),
+  ];
+  for (username, fingerprint) in signers {
+    write!(
+      &mut download_bitcoin,
+      r#"
 # Verify `SHA256SUMS` with GnuPG
-FROM alpine:latest AS gnupg
+FROM alpine:latest AS gnupg-{username}
 RUN apk --no-cache add gnupg
 RUN mkdir ~/.gnupg # Prevent the default config of `use-keyboxd`
-COPY --from=download SHA256SUMS SHA256SUMS.asc /
-RUN gpg --keyserver hkps://keyserver.ubuntu.com --keyserver-options no-self-sigs-only --receive-keys {FINGERPRINT}
-RUN gpg --verify SHA256SUMS.asc SHA256SUMS
-RUN touch /tmp/done
+COPY --from=download guix.sigs /guix.sigs
+RUN <<'EOF'
+  set -eux
+  mkdir -p /tmp
+  if [ ! -d "/guix.sigs/{VERSION}/{username}" ]; then exit 0; fi
+
+  cp guix.sigs/{VERSION}/{username}/all.SHA256SUMS SHA256SUMS
+  cp guix.sigs/{VERSION}/{username}/all.SHA256SUMS.asc SHA256SUMS.asc
+  gpg --keyserver hkps://keyserver.ubuntu.com --keyserver-options no-self-sigs-only \
+    --receive-keys {fingerprint}
+  gpg --verify SHA256SUMS.asc SHA256SUMS
+  touch /tmp/gnupg-{username}
+EOF
 
 # Verify `SHA256SUMS` with Sequoia PGP
-FROM alpine:latest AS sequoia
+FROM alpine:latest AS sequoia-{username}
 RUN apk --no-cache add sequoia-sq
-COPY --from=download SHA256SUMS SHA256SUMS.asc /
-RUN sq network keyserver search --server hkps://keyserver.ubuntu.com {FINGERPRINT}
-RUN sq pki link add --cert {FINGERPRINT} --all
-RUN sq verify --signature-file SHA256SUMS.asc SHA256SUMS
-RUN touch /tmp/done
+COPY --from=download guix.sigs /guix.sigs
+RUN <<'EOF'
+  set -eux
+  mkdir -p /tmp
+  if [ ! -d "/guix.sigs/{VERSION}/{username}" ]; then exit 0; fi
+
+  cp guix.sigs/{VERSION}/{username}/all.SHA256SUMS SHA256SUMS
+  cp guix.sigs/{VERSION}/{username}/all.SHA256SUMS.asc SHA256SUMS.asc
+  sq network keyserver search --server hkps://keyserver.ubuntu.com {fingerprint}
+  sq pki link add --cert {fingerprint} --all
+  sq verify --signature-file SHA256SUMS.asc SHA256SUMS
+  touch /tmp/sequoia-{username}
+EOF
 
 # Verify the integrity of `bitcoin-*.tar.gz` with regards to the `SHA256SUMS` file
-FROM alpine:latest AS sha256sum
-COPY --from=download *.tar.gz SHA256SUMS /
-# Parse to just the hash for the one file we downloaded
-RUN echo $(grep "{file}" SHA256SUMS) > SHA256SUMS
-# Ensure we successfully grabbed the line in question
-RUN if [ $(wc -l SHA256SUMS) -ne 1 ]; then exit 1; fi
-RUN cat SHA256SUMS | sha256sum -c
-RUN touch /tmp/done
-"#);
+FROM alpine:latest AS sha256sum-{username}
+COPY --from=download *.tar.gz /
+COPY --from=download guix.sigs /guix.sigs
+RUN <<'EOF'
+  set -eux
+  mkdir -p /tmp
+  if [ ! -d "/guix.sigs/{VERSION}/{username}" ]; then exit 0; fi
+
+  cp guix.sigs/{VERSION}/{username}/all.SHA256SUMS SHA256SUMS
+  # Parse to just the hash for the one file we downloaded
+  echo $(grep "{file}" SHA256SUMS) > SHA256SUMS
+  # Ensure we successfully grabbed the line in question
+  if [ $(wc -l SHA256SUMS) -ne 1 ]; then exit 1; fi
+  cat SHA256SUMS | sha256sum -c
+  touch /tmp/sha256sum-{username}
+EOF
+"#
+    )
+    .unwrap();
+
+    write!(
+      &mut run_bitcoin_first,
+      r#"
+# Require successful executions of the verification steps
+RUN mkdir -p /tmp
+# Use a wildcard to allow for if the file doesn't exist
+COPY --chown=bitcoin --from=gnupg-{username} /tmp/*gnupg-{username} /tmp/
+COPY --chown=bitcoin --from=sequoia-{username} /tmp/*sequoia-{username} /tmp/
+COPY --chown=bitcoin --from=sha256sum-{username} /tmp/*sha256sum-{username} /tmp/
+"#
+    )
+    .unwrap();
+
+    write!(
+      &mut run_bitcoin_second,
+      r#"
+  if [ -f /tmp/gnupg-{username} ]; then
+    if [ ! -f /tmp/sequoia-{username} ]; then exit 1; fi
+    if [ ! -f /tmp/sha256sum-{username} ]; then exit 1; fi
+    COUNT=$(( $COUNT + 1 ))
+  fi
+"#
+    )
+    .unwrap();
+  }
+
+  write!(
+    &mut run_bitcoin_second,
+    r#"
+  if [ $COUNT -lt {} ]; then exit 1; fi
+  rm -rf /tmp/*
+EOF
+"#,
+    signers.len() - 1
+  )
+  .unwrap();
 
   let setup = mimalloc(Os::Alpine, true) + &download_bitcoin;
 
   let run_bitcoin = format!(
     r#"
-# Require successful executions of the verification steps
-COPY --from=sha256sum /tmp/done /tmp/done
-COPY --from=gnupg /tmp/done /tmp/done
-COPY --from=sequoia --chown=bitcoin /tmp/done /tmp/done
-RUN rm /tmp/done
+{run_bitcoin_first}
+{run_bitcoin_second}
 
 COPY --from=download --chown=bitcoin bitcoind /usr/bin