Merge bitcoin/bitcoin#32766: [28.x] Finalize 28.2

7135d7536c docs: Release notes for 28.2 (Ava Chow)
90f78c74a0 docs: Regenerate manpages for 28.2 (Ava Chow)
3cd4fdb008 build: Bump to 28.2 (Ava Chow)

Pull request description:

  Version bump for 28.2 final

ACKs for top commit:
  theStack:
    ACK 7135d7536c
  fanquake:
    ACK 7135d7536c

Tree-SHA512: 30ae17b4db16d13fcc99fa47f3927e38b337af19cb10fd64823100794d9d1333292449eedd2011aa59c8adad83c049752f04d143766f170dca24353717405055

configure.ac

@@ -2,7 +2,7 @@ AC_PREREQ([2.69])
 define(_CLIENT_VERSION_MAJOR, 28)
 define(_CLIENT_VERSION_MINOR, 2)
 define(_CLIENT_VERSION_BUILD, 0)
-define(_CLIENT_VERSION_RC, 1)
+define(_CLIENT_VERSION_RC, 0)
 define(_CLIENT_VERSION_IS_RELEASE, true)
 define(_COPYRIGHT_YEAR, 2025)
 define(_COPYRIGHT_HOLDERS,[The %s developers])

contrib/guix/INSTALL.md

@@ -319,7 +319,7 @@ Source: https://logs.guix.gnu.org/guix/2020-11-12.log#232527
 Start by cloning Guix:
 
 ```
-git clone https://git.savannah.gnu.org/git/guix.git
+git clone https://codeberg.org/guix/guix.git
 cd guix
 ```
 
@@ -607,7 +607,7 @@ checklist.
    ```
    Generation 38   Feb 22 2021 16:39:31    (current)
      guix f350df4
-       repository URL: https://git.savannah.gnu.org/git/guix.git
+       repository URL: https://codeberg.org/guix/guix.git
        branch: version-1.2.0
        commit: f350df405fbcd5b9e27e6b6aa500da7f101f41e7
    ```
@@ -760,8 +760,8 @@ Please see the following links for more details:
 
 - An upstream coreutils bug has been filed: [debbugs#47940](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47940)
 - A Guix bug detailing the underlying problem has been filed: [guix-issues#47935](https://issues.guix.gnu.org/47935), [guix-issues#49985](https://issues.guix.gnu.org/49985#5)
-- A commit to skip this test in Guix has been merged into the core-updates branch:
-[savannah/guix@6ba1058](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
+- A commit to skip this test is included since Guix 1.4.0:
+[codeberg/guix@6ba1058](https://codeberg.org/guix/guix/commit/6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
 
 
 [install-script]: #options-1-and-2-using-the-official-shell-installer-script-or-binary-tarball

contrib/guix/guix-codesign

@@ -137,7 +137,7 @@ fi
 
 
 ################
-# Unsigned tarballs SHOULD exist
+# Codesigning tarballs SHOULD exist
 ################
 
 # Usage: outdir_for_host HOST SUFFIX
@@ -149,13 +149,13 @@ outdir_for_host() {
 }
 
 
-unsigned_tarball_for_host() {
+codesigning_tarball_for_host() {
     case "$1" in
         *mingw*)
-            echo "$(outdir_for_host "$1")/${DISTNAME}-win64-unsigned.tar.gz"
+            echo "$(outdir_for_host "$1")/${DISTNAME}-win64-codesigning.tar.gz"
             ;;
         *darwin*)
-            echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-unsigned.tar.gz"
+            echo "$(outdir_for_host "$1")/${DISTNAME}-${1}-codesigning.tar.gz"
             ;;
         *)
             exit 1
@@ -164,22 +164,22 @@ unsigned_tarball_for_host() {
 }
 
 # Accumulate a list of build directories that already exist...
-hosts_unsigned_tarball_missing=""
+hosts_codesigning_tarball_missing=""
 for host in $HOSTS; do
-    if [ ! -e "$(unsigned_tarball_for_host "$host")" ]; then
-        hosts_unsigned_tarball_missing+=" ${host}"
+    if [ ! -e "$(codesigning_tarball_for_host "$host")" ]; then
+        hosts_codesigning_tarball_missing+=" ${host}"
     fi
 done
 
-if [ -n "$hosts_unsigned_tarball_missing" ]; then
+if [ -n "$hosts_codesigning_tarball_missing" ]; then
     # ...so that we can print them out nicely in an error message
     cat << EOF
-ERR: Unsigned tarballs do not exist
+ERR: Codesigning tarballs do not exist
 ...
 
 EOF
-for host in $hosts_unsigned_tarball_missing; do
-    echo "     ${host} '$(unsigned_tarball_for_host "$host")'"
+for host in $hosts_codesigning_tarball_missing; do
+    echo "     ${host} '$(codesigning_tarball_for_host "$host")'"
 done
 exit 1
 fi
@@ -371,7 +371,7 @@ EOF
                                         OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)" \
                                         DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
                                         DETACHED_SIGS_REPO=/detached-sigs \
-                                        UNSIGNED_TARBALL="$(OUTDIR_BASE=/outdir-base && unsigned_tarball_for_host "$HOST")" \
+                                        CODESIGNING_TARBALL="$(OUTDIR_BASE=/outdir-base && codesigning_tarball_for_host "$HOST")" \
                                       bash -c "cd /bitcoin && bash contrib/guix/libexec/codesign.sh"
     )
 

contrib/guix/libexec/build.sh

@@ -289,24 +289,6 @@ mkdir -p "$DISTSRC"
             ;;
     esac
 
-    case "$HOST" in
-        *darwin*)
-            make deploydir ${V:+V=1}
-            mkdir -p "unsigned-app-${HOST}"
-            cp  --target-directory="unsigned-app-${HOST}" \
-                contrib/macdeploy/detached-sig-create.sh
-            mv --target-directory="unsigned-app-${HOST}" dist
-            (
-                cd "unsigned-app-${HOST}"
-                find . -print0 \
-                    | sort --zero-terminated \
-                    | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
-                    | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" \
-                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" && exit 1 )
-            )
-            make deploy ${V:+V=1} OSX_ZIP="${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
-            ;;
-    esac
     (
         cd installed
 
@@ -339,7 +321,7 @@ mkdir -p "$DISTSRC"
 
         cp -r "${DISTSRC}/share/rpcauth" "${DISTNAME}/share/"
 
-        # Finally, deterministically produce {non-,}debug binary tarballs ready
+        # Deterministically produce {non-,}debug binary tarballs ready
         # for release
         case "$HOST" in
             *mingw*)
@@ -347,8 +329,8 @@ mkdir -p "$DISTSRC"
                     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
                 find "${DISTNAME}" -not -name "*.dbg" \
                     | sort \
-                    | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" \
-                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" && exit 1 )
+                    | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}-unsigned.zip" \
+                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}-unsigned.zip" && exit 1 )
                 find "${DISTNAME}" -name "*.dbg" -print0 \
                     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
                 find "${DISTNAME}" -name "*.dbg" \
@@ -372,12 +354,13 @@ mkdir -p "$DISTSRC"
                 find "${DISTNAME}" -print0 \
                     | sort --zero-terminated \
                     | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
-                    | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" \
-                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" && exit 1 )
+                    | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" \
+                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.tar.gz" && exit 1 )
                 ;;
         esac
     )  # $DISTSRC/installed
 
+    # Finally make tarballs for codesigning
     case "$HOST" in
         *mingw*)
             cp -rf --target-directory=. contrib/windeploy
@@ -385,13 +368,33 @@ mkdir -p "$DISTSRC"
                 cd ./windeploy
                 mkdir -p unsigned
                 cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
+                cp -r --target-directory=unsigned/ "${INSTALLPATH}"
+                find unsigned/ -name "*.dbg" -print0 \
+                    | xargs -0r rm
                 find . -print0 \
                     | sort --zero-terminated \
                     | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
-                    | gzip -9n > "${OUTDIR}/${DISTNAME}-win64-unsigned.tar.gz" \
-                    || ( rm -f "${OUTDIR}/${DISTNAME}-win64-unsigned.tar.gz" && exit 1 )
+                    | gzip -9n > "${OUTDIR}/${DISTNAME}-win64-codesigning.tar.gz" \
+                    || ( rm -f "${OUTDIR}/${DISTNAME}-win64-codesigning.tar.gz" && exit 1 )
             )
             ;;
+        *darwin*)
+            make deploydir ${V:+V=1}
+            mkdir -p "unsigned-app-${HOST}"
+            cp  --target-directory="unsigned-app-${HOST}" \
+                contrib/macdeploy/detached-sig-create.sh
+            mv --target-directory="unsigned-app-${HOST}" dist
+            cp -r --target-directory="unsigned-app-${HOST}" "${INSTALLPATH}"
+            (
+                cd "unsigned-app-${HOST}"
+                find . -print0 \
+                    | sort --zero-terminated \
+                    | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
+                    | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}-codesigning.tar.gz" \
+                    || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}-codesigning.tar.gz" && exit 1 )
+            )
+            make deploy ${V:+V=1} OSX_ZIP="${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
+            ;;
     esac
 )  # $DISTSRC
 

contrib/guix/libexec/codesign.sh

@@ -4,6 +4,9 @@
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 export LC_ALL=C
 set -e -o pipefail
+
+# Environment variables for determinism
+export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
 export TZ=UTC
 
 # Although Guix _does_ set umask when building its own packages (in our case,
@@ -27,7 +30,7 @@ fi
 # Check that required environment variables are set
 cat << EOF
 Required environment variables as seen inside the container:
-    UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set}
+    CODESIGNING_TARBALL: ${CODESIGNING_TARBALL:?not set}
     DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
     DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
     DISTNAME: ${DISTNAME:?not set}
@@ -63,27 +66,54 @@ mkdir -p "$DISTSRC"
 (
     cd "$DISTSRC"
 
-    tar -xf "$UNSIGNED_TARBALL"
+    tar -xf "$CODESIGNING_TARBALL"
 
     mkdir -p codesignatures
     tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
 
     case "$HOST" in
         *mingw*)
-            find "$PWD" -name "*-unsigned.exe" | while read -r infile; do
-                infile_base="$(basename "$infile")"
-
-                # Codesigned *-unsigned.exe and output to OUTDIR
+            # Apply detached codesignatures
+            WORKDIR=".tmp"
+            mkdir -p ${WORKDIR}
+            cp -r --target-directory="${WORKDIR}" "unsigned/${DISTNAME}"
+            find "${WORKDIR}/${DISTNAME}" -name "*.exe" -type f -exec rm {} \;
+            find unsigned/ -name "*.exe" -type f | while read -r bin
+            do
+                bin_base="$(realpath --relative-to=unsigned/ "${bin}")"
+                mkdir -p "${WORKDIR}/$(dirname "${bin_base}")"
                 osslsigncode attach-signature \
-                                 -in "$infile" \
-                                 -out "${OUTDIR}/${infile_base/-unsigned}" \
+                                 -in "${bin}" \
+                                 -out "${WORKDIR}/${bin_base/-unsigned}" \
                                  -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
-                                 -sigin codesignatures/win/"$infile_base".pem
+                                 -sigin codesignatures/win/"${bin_base}".pem
             done
+
+            # Move installer to outdir
+            cd "${WORKDIR}"
+            find . -name "*setup.exe" -print0 \
+                | xargs -0r mv --target-directory="${OUTDIR}"
+
+            # Make .zip from binaries
+            find "${DISTNAME}" -print0 \
+                | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+            find "${DISTNAME}" \
+                | sort \
+                | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" \
+                || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-w64-mingw32/win64}.zip" && exit 1 )
             ;;
         *darwin*)
-            # Apply detached codesignatures to dist/ (in-place)
-            signapple apply dist/Bitcoin-Qt.app codesignatures/osx/dist
+            case "$HOST" in
+                arm64*) ARCH="arm64" ;;
+                x86_64*) ARCH="x86_64" ;;
+            esac
+
+            # Apply detached codesignatures (in-place)
+            signapple apply dist/Bitcoin-Qt.app codesignatures/osx/"${HOST}"/dist/Bitcoin-Qt.app
+            find "${DISTNAME}" -wholename "*/bin/*" -type f | while read -r bin
+            do
+                signapple apply "${bin}" "codesignatures/osx/${HOST}/${bin}.${ARCH}sign"
+            done
 
             # Make a .zip from dist/
             cd dist/
@@ -91,6 +121,14 @@ mkdir -p "$DISTSRC"
                 | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
             find . | sort \
                 | zip -X@ "${OUTDIR}/${DISTNAME}-${HOST}.zip"
+            cd ..
+
+            # Make a .tar.gz from bins
+            find "${DISTNAME}" -print0 \
+                | sort --zero-terminated \
+                | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
+                | gzip -9n > "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" \
+                || ( rm -f "${OUTDIR}/${DISTNAME}-${HOST}.tar.gz" && exit 1 )
             ;;
         *)
             exit 1
@@ -105,7 +143,7 @@ mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
 (
     cd /outdir-base
     {
-        echo "$UNSIGNED_TARBALL"
+        echo "$CODESIGNING_TARBALL"
         echo "$CODESIGNATURE_GIT_ARCHIVE"
         find "$ACTUAL_OUTDIR" -type f
     } | xargs realpath --relative-base="$PWD" \

contrib/guix/libexec/prelude.bash

@@ -50,7 +50,7 @@ fi
 # across time.
 time-machine() {
     # shellcheck disable=SC2086
-    guix time-machine --url=https://git.savannah.gnu.org/git/guix.git \
+    guix time-machine --url=https://codeberg.org/guix/guix.git \
                       --commit=7bf1d7aeaffba15c4f680f93ae88fbef25427252 \
                       --cores="$JOBS" \
                       --keep-failed \

contrib/guix/manifest.scm

@@ -17,13 +17,14 @@
              (gnu packages moreutils)
              (gnu packages pkg-config)
              ((gnu packages python) #:select (python-minimal))
-             ((gnu packages python-build) #:select (python-tomli))
+             ((gnu packages python-build) #:select (python-tomli python-poetry-core))
              ((gnu packages python-crypto) #:select (python-asn1crypto))
              ((gnu packages tls) #:select (openssl))
              ((gnu packages version-control) #:select (git-minimal))
              (guix build-system cmake)
              (guix build-system gnu)
              (guix build-system python)
+             (guix build-system pyproject)
              (guix build-system trivial)
              (guix download)
              (guix gexp)
@@ -393,10 +394,10 @@ specific moment in time, whitelisting and revocation checks.")
       (license license:expat))))
 
 (define-public python-signapple
-  (let ((commit "62155712e7417aba07565c9780a80e452823ae6a"))
+  (let ((commit "85bfcecc33d2773bc09bc318cec0614af2c8e287"))
     (package
       (name "python-signapple")
-      (version (git-version "0.1" "1" commit))
+      (version (git-version "0.2.0" "1" commit))
       (source
        (origin
          (method git-fetch)
@@ -406,13 +407,14 @@ specific moment in time, whitelisting and revocation checks.")
          (file-name (git-file-name name commit))
          (sha256
           (base32
-           "1nm6rm4h4m7kbq729si4cm8rzild62mk4ni8xr5zja7l33fhv3gb"))))
-      (build-system python-build-system)
+           "17yqjll8nw83q6dhgqhkl7w502z5vy9sln8m6mlx0f1c10isg8yg"))))
+      (build-system pyproject-build-system)
       (propagated-inputs
         (list python-asn1crypto
               python-oscrypto
               python-certvalidator
               python-elfesteem))
+      (native-inputs (list python-poetry-core))
       ;; There are no tests, but attempting to run python setup.py test leads to
       ;; problems, just disable the test
       (arguments '(#:tests? #f))

contrib/macdeploy/detached-sig-create.sh

@@ -6,26 +6,57 @@
 export LC_ALL=C
 set -e
 
-ROOTDIR=dist
-BUNDLE="${ROOTDIR}/Bitcoin-Qt.app"
-BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt"
 SIGNAPPLE=signapple
 TEMPDIR=sign.temp
-ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1)
-OUT="signature-osx-${ARCH}.tar.gz"
-OUTROOT=osx/dist
 
-if [ -z "$1" ]; then
-  echo "usage: $0 <signapple args>"
-  echo "example: $0 <path to key>"
+BUNDLE_ROOT=dist
+BUNDLE_NAME="Bitcoin-Qt.app"
+UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}"
+UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt"
+
+ARCH=$(${SIGNAPPLE} info ${UNSIGNED_BINARY} | head -n 1 | cut -d " " -f 1)
+
+OUTDIR="osx/${ARCH}-apple-darwin"
+OUTROOT="${TEMPDIR}/${OUTDIR}"
+
+OUT="signature-osx-${ARCH}.tar.gz"
+
+if [ "$#" -ne 3 ]; then
+  echo "usage: $0 <path to key> <path to app store connect key> <apple developer team uuid>"
   exit 1
 fi
 
 rm -rf ${TEMPDIR}
 mkdir -p ${TEMPDIR}
 
-${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}"  "$@" "${BUNDLE}" --hardened-runtime
+stty -echo
+printf "Enter the passphrase for %s: " "$1"
+read cs_key_pass
+printf "\n"
+printf "Enter the passphrase for %s: " "$2"
+read api_key_pass
+printf "\n"
+stty echo
 
-tar -C "${TEMPDIR}" -czf "${OUT}" .
+# Sign and notarize app bundle
+${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}"
+${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}"
+${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}"
+
+# Sign each binary
+find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin
+do
+    bin_dir=$(dirname "${bin}")
+    bin_name=$(basename "${bin}")
+    ${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}"
+    ${SIGNAPPLE} apply "${bin}" "${OUTROOT}/${bin_dir}/${bin_name}.${ARCH}sign"
+done
+
+# Notarize the binaries
+# Binaries cannot have stapled notarizations so this does not actually generate any output
+binaries_dir=$(dirname "$(find . -maxdepth 2 -wholename '*/bin' -type d -exec realpath --relative-to=. {} \;)")
+${SIGNAPPLE} notarize --passphrase "${api_key_pass}" "$2" "$3" "${binaries_dir}"
+
+tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}"
 rm -rf "${TEMPDIR}"
 echo "Created ${OUT}"

contrib/windeploy/detached-sig-create.sh

@@ -8,9 +8,9 @@ if [ -z "$OSSLSIGNCODE" ]; then
   OSSLSIGNCODE=osslsigncode
 fi
 
-if [ -z "$1" ]; then
-  echo "usage: $0 <osslcodesign args>"
-  echo "example: $0 -key codesign.key"
+if [ "$#" -ne 1 ]; then
+  echo "usage: $0 <path to key>"
+  echo "example: $0 codesign.key"
   exit 1
 fi
 
@@ -22,12 +22,22 @@ OUTSUBDIR="${OUTDIR}/win"
 TIMESERVER=http://timestamp.comodoca.com
 CERTFILE="win-codesign.cert"
 
+stty -echo
+printf "Enter the passphrase for %s: " "$1"
+read cs_key_pass
+printf "\n"
+stty echo
+
+
 mkdir -p "${OUTSUBDIR}"
-# shellcheck disable=SC2046
-basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) | while read UNSIGNED; do
-  echo Signing "${UNSIGNED}"
-  "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@"
-  "${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}"
+find ${SRCDIR} -wholename "*.exe" -type f -exec realpath --relative-to=. {} \; | while read -r bin
+do
+    echo Signing "${bin}"
+    bin_base="$(realpath --relative-to=${SRCDIR} "${bin}")"
+    mkdir -p "$(dirname ${WORKDIR}/"${bin_base}")"
+    "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${bin}" -out "${WORKDIR}/${bin_base}" -key "$1" -pass "${cs_key_pass}"
+    mkdir -p "$(dirname ${OUTSUBDIR}/"${bin_base}")"
+    "${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${bin_base}" -out "${OUTSUBDIR}/${bin_base}.pem" && rm "${WORKDIR}/${bin_base}"
 done
 
 rm -f "${OUT}"

depends/packages/freetype.mk

@@ -4,6 +4,7 @@ $(package)_download_path=https://download.savannah.gnu.org/releases/$(package)
 $(package)_file_name=$(package)-$($(package)_version).tar.xz
 $(package)_sha256_hash=8bee39bd3968c4804b70614a0a3ad597299ad0e824bc8aad5ce8aaf48067bde7
 $(package)_build_subdir=build
+$(package)_patches += cmake_minimum.patch
 
 define $(package)_set_vars
   $(package)_config_opts := -DCMAKE_BUILD_TYPE=None -DBUILD_SHARED_LIBS=TRUE
@@ -12,6 +13,10 @@ define $(package)_set_vars
   $(package)_config_opts += -DCMAKE_DISABLE_FIND_PACKAGE_BrotliDec=TRUE
 endef
 
+define $(package)_preprocess_cmds
+  patch -p1 < $($(package)_patch_dir)/cmake_minimum.patch
+endef
+
 define $(package)_config_cmds
   $($(package)_cmake) -S .. -B .
 endef

depends/packages/xproto.mk

@@ -21,6 +21,8 @@ define $(package)_build_cmds
   $(MAKE)
 endef
 
+# mkdir detection is broken on Alpine. Set MKDIRPROG to ensure we always
+# use "mkdir -p", and avoid parallelism issues during install.
 define $(package)_stage_cmds
-  $(MAKE) DESTDIR=$($(package)_staging_dir) install
+  $(MAKE) MKDIRPROG="mkdir -p" DESTDIR=$($(package)_staging_dir) install
 endef

depends/patches/freetype/cmake_minimum.patch

@@ -0,0 +1,13 @@
+build: set minimum required CMake to 3.12
+
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -97,7 +97,7 @@
+ # FreeType explicitly marks the API to be exported and relies on the compiler
+ # to hide all other symbols. CMake supports a C_VISBILITY_PRESET property
+ # starting with 2.8.12.
+-cmake_minimum_required(VERSION 2.8.12)
++cmake_minimum_required(VERSION 3.12)
+
+ if (NOT CMAKE_VERSION VERSION_LESS 3.3)
+   # Allow symbol visibility settings also on static libraries. CMake < 3.3

doc/man/bitcoin-cli.1

@@ -1,7 +1,7 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIN-CLI "1" "May 2025" "bitcoin-cli v28.2.0rc1" "User Commands"
+.TH BITCOIN-CLI "1" "June 2025" "bitcoin-cli v28.2.0" "User Commands"
 .SH NAME
-bitcoin-cli \- manual page for bitcoin-cli v28.2.0rc1
+bitcoin-cli \- manual page for bitcoin-cli v28.2.0
 .SH SYNOPSIS
 .B bitcoin-cli
 [\fI\,options\/\fR] \fI\,<command> \/\fR[\fI\,params\/\fR]  \fI\,Send command to Bitcoin Core\/\fR
@@ -15,7 +15,7 @@ bitcoin-cli \- manual page for bitcoin-cli v28.2.0rc1
 .B bitcoin-cli
 [\fI\,options\/\fR] \fI\,help <command>      Get help for a command\/\fR
 .SH DESCRIPTION
-Bitcoin Core RPC client version v28.2.0rc1
+Bitcoin Core RPC client version v28.2.0
 .SH OPTIONS
 .HP
 \-?

doc/man/bitcoin-qt.1

@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIN-QT "1" "May 2025" "bitcoin-qt v28.2.0rc1" "User Commands"
+.TH BITCOIN-QT "1" "June 2025" "bitcoin-qt v28.2.0" "User Commands"
 .SH NAME
-bitcoin-qt \- manual page for bitcoin-qt v28.2.0rc1
+bitcoin-qt \- manual page for bitcoin-qt v28.2.0
 .SH SYNOPSIS
 .B bitcoin-qt
 [\fI\,command-line options\/\fR] [\fI\,URI\/\fR]
 .SH DESCRIPTION
-Bitcoin Core version v28.2.0rc1
+Bitcoin Core version v28.2.0
 .PP
 Optional URI is a Bitcoin address in BIP21 URI format.
 .SH OPTIONS

doc/man/bitcoin-tx.1

@@ -1,7 +1,7 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIN-TX "1" "May 2025" "bitcoin-tx v28.2.0rc1" "User Commands"
+.TH BITCOIN-TX "1" "June 2025" "bitcoin-tx v28.2.0" "User Commands"
 .SH NAME
-bitcoin-tx \- manual page for bitcoin-tx v28.2.0rc1
+bitcoin-tx \- manual page for bitcoin-tx v28.2.0
 .SH SYNOPSIS
 .B bitcoin-tx
 [\fI\,options\/\fR] \fI\,<hex-tx> \/\fR[\fI\,commands\/\fR]  \fI\,Update hex-encoded bitcoin transaction\/\fR
@@ -9,7 +9,7 @@ bitcoin-tx \- manual page for bitcoin-tx v28.2.0rc1
 .B bitcoin-tx
 [\fI\,options\/\fR] \fI\,-create \/\fR[\fI\,commands\/\fR]   \fI\,Create hex-encoded bitcoin transaction\/\fR
 .SH DESCRIPTION
-Bitcoin Core bitcoin\-tx utility version v28.2.0rc1
+Bitcoin Core bitcoin\-tx utility version v28.2.0
 .SH OPTIONS
 .HP
 \-?

doc/man/bitcoin-util.1

@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIN-UTIL "1" "May 2025" "bitcoin-util v28.2.0rc1" "User Commands"
+.TH BITCOIN-UTIL "1" "June 2025" "bitcoin-util v28.2.0" "User Commands"
 .SH NAME
-bitcoin-util \- manual page for bitcoin-util v28.2.0rc1
+bitcoin-util \- manual page for bitcoin-util v28.2.0
 .SH SYNOPSIS
 .B bitcoin-util
 [\fI\,options\/\fR] [\fI\,commands\/\fR]  \fI\,Do stuff\/\fR
 .SH DESCRIPTION
-Bitcoin Core bitcoin\-util utility version v28.2.0rc1
+Bitcoin Core bitcoin\-util utility version v28.2.0
 .SH OPTIONS
 .HP
 \-?

doc/man/bitcoin-wallet.1

@@ -1,9 +1,9 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIN-WALLET "1" "May 2025" "bitcoin-wallet v28.2.0rc1" "User Commands"
+.TH BITCOIN-WALLET "1" "June 2025" "bitcoin-wallet v28.2.0" "User Commands"
 .SH NAME
-bitcoin-wallet \- manual page for bitcoin-wallet v28.2.0rc1
+bitcoin-wallet \- manual page for bitcoin-wallet v28.2.0
 .SH DESCRIPTION
-Bitcoin Core bitcoin\-wallet version v28.2.0rc1
+Bitcoin Core bitcoin\-wallet version v28.2.0
 .PP
 bitcoin\-wallet is an offline tool for creating and interacting with Bitcoin Core wallet files.
 By default bitcoin\-wallet will act on wallets in the default mainnet wallet directory in the datadir.

doc/man/bitcoind.1

@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
-.TH BITCOIND "1" "May 2025" "bitcoind v28.2.0rc1" "User Commands"
+.TH BITCOIND "1" "June 2025" "bitcoind v28.2.0" "User Commands"
 .SH NAME
-bitcoind \- manual page for bitcoind v28.2.0rc1
+bitcoind \- manual page for bitcoind v28.2.0
 .SH SYNOPSIS
 .B bitcoind
 [\fI\,options\/\fR]                     \fI\,Start Bitcoin Core\/\fR
 .SH DESCRIPTION
-Bitcoin Core version v28.2.0rc1
+Bitcoin Core version v28.2.0
 .SH OPTIONS
 .HP
 \-?

doc/release-notes.md

@@ -1,6 +1,6 @@
-Bitcoin Core version 28.2rc1 is now available from:
+Bitcoin Core version 28.2 is now available from:
 
-  <https://bitcoincore.org/bin/bitcoin-core-28.2/test.rc1/>
+  <https://bitcoincore.org/bin/bitcoin-core-28.2/>
 
 This release includes new features, various bug fixes and performance
 improvements, as well as updated translations.
@@ -25,13 +25,6 @@ Upgrading directly from a version of Bitcoin Core that has reached its EOL is
 possible, but it might take some time if the data directory needs to be migrated. Old
 wallet versions of Bitcoin Core are generally supported.
 
-Running Bitcoin Core binaries on macOS requires self signing.
-```
-cd /path/to/bitcoin-28.x/bin
-xattr -d com.apple.quarantine bitcoin-cli bitcoin-qt bitcoin-tx bitcoin-util bitcoin-wallet bitcoind test_bitcoin
-codesign -s - bitcoin-cli bitcoin-qt bitcoin-tx bitcoin-util bitcoin-wallet bitcoind test_bitcoin
-```
-
 Compatibility
 ==============
 
@@ -46,9 +39,13 @@ Notable changes
 
 ### Build
 
-- #31627 depends: Fix spacing issue
+- #31407 guix: Notarize MacOS app bundle and codesign all MacOS and Windows binaries
 - #31500 depends: Fix compiling libevent package on NetBSD
+- #31627 depends: Fix spacing issue
 - #32070 build: use make < 3.82 syntax for define directive
+- #32439 guix: accomodate migration to codeberg
+- #32568 depends: use "mkdir -p" when installing xproto
+- #32693 depends: fix cmake compatibility error for freetype
 
 ### Test
 
@@ -59,6 +56,10 @@ Notable changes
 
 - #31623 tracing: Rename the MIN macro to TRACEPOINT_TEST_MIN in log_raw_p2p_msgs
 
+### Doc
+
+- #32003 doc: remove note about macOS self-signing
+
 ### Misc
 
 - #31611 doc: upgrade license to 2025
@@ -67,14 +68,16 @@ Notable changes
 Credits
 =======
 
+Thanks to everyone who directly contributed to this release:
 - 0xB10C
+- achow101
 - Brandon Odiwuor
+- fanquake
 - Hennadii Stepanov
+- josibake
 - kehiy
 - MarcoFalke
 - Sjors Provoost
 
-Thanks to everyone who directly contributed to this release:
-
 As well as to everyone that helped with translations on
 [Transifex](https://www.transifex.com/bitcoin/bitcoin/).

doc/release-process.md

@@ -164,8 +164,8 @@ Then open a Pull Request to the [guix.sigs repository](https://github.com/bitcoi
 
 In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERSION}/output/arm64-apple-darwin` directories:
 
-    tar xf bitcoin-osx-unsigned.tar.gz
-    ./detached-sig-create.sh /path/to/codesign.p12
+    tar xf bitcoin-${VERSION}-${ARCH}-apple-darwin-codesigning.tar.gz
+    ./detached-sig-create.sh /path/to/codesign.p12 /path/to/AuthKey_foo.p8 uuid
     Enter the keychain password and authorize the signature
     signature-osx.tar.gz will be created
 
@@ -173,8 +173,8 @@ In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERS
 
 In the `guix-build-${VERSION}/output/x86_64-w64-mingw32` directory:
 
-    tar xf bitcoin-win-unsigned.tar.gz
-    ./detached-sig-create.sh -key /path/to/codesign.key
+    tar xf bitcoin-${VERSION}-win64-codesigning.tar.gz
+    ./detached-sig-create.sh /path/to/codesign.key
     Enter the passphrase for the key when prompted
     signature-win.tar.gz will be created