Return-Path: <cory@coryfields.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 8FE98E60
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 12 Jan 2018 05:04:48 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com
	[209.85.218.47])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9F774D0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 12 Jan 2018 05:04:46 +0000 (UTC)
Received: by mail-oi0-f47.google.com with SMTP id m65so3219021oig.5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 11 Jan 2018 21:04:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=coryfields-com.20150623.gappssmtp.com; s=20150623;
	h=mime-version:from:date:message-id:subject:to;
	bh=csl7LA6/GCm/19vsgNWrEeYOTEnrAHeB5Bij/LuMrxA=;
	b=zZYV0rXy92UxA3XcHDCQX11+VyPJpufPx0AxI8z7FGtRBBtQ27YZUJqCw4IxH64N2j
	K0maLOHDISNW3koR3vvJSjXrNWHCAOOzDJFhctxwzOQOn8lNBuTwG14HjMD2d3AO4/sv
	TPIVs0XFHzR1AMX51UQlhJYceGAECVOKCeWK549a2InRzlfxFKUZbZmSERw/CeAnFPlS
	tUXybUwItrBXrFAWT7v6JkDI73bHImvjjvpY0nop4HtiitJdCBNYK1JkeI2V52qgyZcu
	xP7rr4gYhSvQTV0JlwzhYXymIDhgCjSCX0bAc0VPHkUBsz+CjrI66IU9sjd2oyAkETwf
	IL9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=csl7LA6/GCm/19vsgNWrEeYOTEnrAHeB5Bij/LuMrxA=;
	b=HBs+B+SBw4ReMOQf7piQ7KsyCUwsE74egdAaHwbl0/DfcT3ke/DViRhNEgWPEudv6H
	u6LjBbDCOrJOUORhLKvZUlGX0IIAf5EcD8w2S2zTUZ93DV+FNfg9qWxYfaSZDDy0maxh
	0XG2UKpq2bMaFmX0HN5GtHrKHoTWRUAZ9M5QcG/APmbrFM7UfRWk9T1mL0pXsX6MxQSH
	10YEjiTS1htdrNU4itPXeSoXEUy+vE/rp/ieUIBI8NbKH4mRm6y0hn28UMov86S+KTub
	Heofe9Ydpj0Kgl2vqiL+AgN6h+g+AbJtlwc7Y1sTUtUezI+3Yp4n4NI78TNU/pTj8rxr
	aDjQ==
X-Gm-Message-State: AKGB3mJEpDQQ2AmXW0VbCZwQ1rN13gRXrLFByJfjUv/q47Eusnj+YHOL
	vAUBWbwcyMFx3uUEJpRC1+dz59p6xqvrao+93wbmcciKS6k=
X-Google-Smtp-Source: ACJfBouBnrlKGE/DQKZ2DcvrAAWYlZAP4HdI3938K1eDEAWZwtivhDaJSl+lYbENL1mIUjNU97CHAiNIodAMC8wqGdg=
X-Received: by 10.202.59.212 with SMTP id i203mr14811195oia.173.1515733485521; 
	Thu, 11 Jan 2018 21:04:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.146.156 with HTTP; Thu, 11 Jan 2018 21:04:44 -0800 (PST)
From: Cory Fields <lists@coryfields.com>
Date: Fri, 12 Jan 2018 00:04:44 -0500
Message-ID: <CAApLimjGy6TCd7kg8RKkuGqAZTfcuNSfsrDowEsEcbEnM_0rzg@mail.gmail.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/mixed; boundary="001a113ccd8efabcfa05628d3346"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [bitcoin-dev] New Bitcoin Core macOS signing key
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 05:04:48 -0000

--001a113ccd8efabcfa05628d3346
Content-Type: text/plain; charset="UTF-8"

Hi all

As discussed in a few of the last weekly meetings, Bitcoin Core's
macOS code signing certificate expired today.

We are (Greg is ;) in the process of establishing a new threshold
signing scheme that will allow us to handle code signing without any
single point of failure. But until then, releases will be signed as
before, just with a new certificate.

As a matter of record, I used the old code-signing key/certificate to
sign a message containing the pubkey that matches the new
key/certificate. It's attached at the end of this message.

The pkcs7 format is rather clunky, but I wanted to include the current
signing certificate to make verification easier. I'll leave it to the
reader to extract the certificate from a previous release in order to
make sure that they match. It was also in the Core git repo until it
was removed recently.

To verify, you can use something like:
openssl smime -verify -in sig.pkcs7 -inform pem -ignore_critical -purpose any

- "ignore_critical" setting tells openssl to ignore the Apple-specific
critical extensions that it doesn't understand.
- "-purpose any" allows the "purpose == smimesign" check to be
skipped. This would otherwise fail because this certificate is only
authorized to sign code, not arbitrary messages.

By now, the signature will probably fail to validate because the
certificate has expired.

The signed message below is timestamped on the Bitcoin blockchain
using OpenTimestamps. See the attached ots file containing the
timestamp proof. If the attachment gets scrubbed and doesn't make it
to the list, don't be afraid to nag Peter Todd about a mail-friendly
format for these proofs :)

Regards,
Cory

expire.txt.sig:
-----BEGIN PKCS7-----
MIILTwYJKoZIhvcNAQcCoIILQDCCCzwCAQExCzAJBgUrDgMCGgUAMIIDNAYJKoZI
hvcNAQcBoIIDJQSCAyFUaGUgY3VycmVudCBCaXRjb2luIENvcmUgbWFjT1MgY29k
ZSBzaWduaW5nIGNlcnRpZmljYXRlIGV4cGlyZXMNCmxhdGVyIHRvZGF5LCBKYW51
YXJ5IDExLCAyMDE4Lg0KDQpJbiB0aGUgZnV0dXJlLCBhIHRocmVzaG9sZCBzaWdu
YXR1cmUgd2lsbCBiZSB1c2VkIHRvIHNpZ24gbWFjT1MNCnJlbGVhc2VzLCBidXQg
c2luY2UgdGhpcyB3YXMgbm90IHJlYWR5IGluIHRpbWUsIGEgdGVtcG9yYXJ5DQpj
ZXJ0aWZpY2F0ZSB3aWxsIGxpa2VseSBiZSB1c2VkIGZvciB0aGUgMC4xNiByZWxl
YXNlLg0KDQpUaGUgcHVibGljIGtleSB0byBiZSB1c2VkIHdpdGggdGhpcyBuZXcg
Y2VydGlmaWNhdGUgaXM6DQoNCi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tDQpN
SUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXF4aWJE
Z2pBT09WVXBTY3pVMnBqDQp0UEVpQ0lZeXl2V21EN2VidGhQbzI5WG9xMUJqYWJG
NDlCZ3diNkZFaU1haFN5UTY4ZklMSUhDanJ5SUo4RUN1DQpROFJWbVF3cGdhKzV0
OTZiMEM5emN5WTFhcSsrRzIyMVNqNmFpUmVveXZwcHIrZ2poNmNPbktEc1B0Z2pU
cGdiDQovOUhuMmtwYzFmZ000ZkRFMlQ2VXZHVHMwd3d5dWNvL21ya0s1LzEySCtq
ZUE3QXVNcjBLQTBVSktSS1VOenFhDQo4QjlLalFFektaRGVVVHRYak9vSmIyNkRQ
U3hCbXBGd25zWSs2aHBjeFZSSmphNG1FYzRFYnIyb2gxSmVORU5uDQp4WXR3MHRW
VWczTUwvWlI2WU9qQVpMY0V0cW5IR2ZOZXVRazJXVm1pYy9JY3d4VEM0cUk4MnFR
OGgxQnFpY3pRDQo4UUlEQVFBQg0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tDQqg
ggWLMIIFhzCCBG+gAwIBAgIIJ0r1rumyfZAwDQYJKoZIhvcNAQELBQAweTEtMCsG
A1UEAwwkRGV2ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYD
VQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBw
bGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTMwMTEwMjIzOTAxWhcNMTgwMTExMjIz
OTAxWjCBqDEaMBgGCgmSJomT8ixkAQEMClBCVjRHTFM5SjQxQDA+BgNVBAMMN0Rl
dmVsb3BlciBJRCBBcHBsaWNhdGlvbjogQklUQ09JTiBGT1VOREFUSU9OLCBJTkMu
LCBUSEUxEzARBgNVBAsMClBCVjRHTFM5SjQxJjAkBgNVBAoMHUJJVENPSU4gRk9V
TkRBVElPTiwgSU5DLiwgVEhFMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALTd5zURuZVoJviusr119aktXksenb9IN9vq6kBbq38v
xEk79wkKMES2XfBRh0HxcEizGzhMNy5OCXuTLMaNMihYdfwYSoBoR2foEU+6kjPU
nyJ4dQBFLJZJr5/QeQmALmYHEgZ6lwXFD2lU8t92340zeJ4y5LZw5pcEHtH9Iumm
YDutOGCkCGXDcjL+5nHhNScJiXHhswM+62o6XXsQiP6EWbM1CsgrGTNLtaa0U/Uv
VDwE79YKklSC5Bog2LD0jBcTuveI66mFzqu++L9X9u+ZArtebwCl7BPNQ+uboYy5
uV2dzf8lpNNZLfXCFjoLe9bLICKfZ7ub9V5aC8+GhckCAwEAAaOCAeEwggHdMD4G
CCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuYXBwbGUuY29t
L29jc3AtZGV2aWQwMTAdBgNVHQ4EFgQUa5xsqKVzcHDiV6NJ2GL7l8elXV4wDAYD
VR0TAQH/BAIwADAfBgNVHSMEGDAWgBRXF+2iz9x8mKEQ4Py+hy0s8uMXVDCCAQ4G
A1UdIASCAQUwggEBMIH+BgkqhkiG92NkBQEwgfAwKAYIKwYBBQUHAgEWHGh0dHA6
Ly93d3cuYXBwbGUuY29tL2FwcGxlY2EwgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFu
Y2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2Nl
cHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5k
IGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRp
ZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wDgYDVR0PAQH/BAQDAgeAMBYG
A1UdJQEB/wQMMAoGCCsGAQUFBwMDMBMGCiqGSIb3Y2QGAQ0BAf8EAgUAMA0GCSqG
SIb3DQEBCwUAA4IBAQAfJ0BjID/1dS2aEeVyhAzPzCBjG8vm0gDf+/qfwRn3+yWe
L9vSnMdbilwM48IyQWTagjGGcojbsAd/vE4N7NhQyHInoCllNoeor1I5xx+blTaG
RBK+dDhJbbdlGCjsLnH/BczGZi5fyEJds9lUIrp1hJidRcUKO76qb/9gc6qNZpl1
vH5klDUuJYt7YhAs+L6rTXDyqcK9maeQr0gaOPsRRAQLLwiQCorPeMTUNsbVMdMw
ZYJsR+PxiAnk+nyi7rfiFvPoASAYUuI6OzYL/Fa6QU4/gYyPgic944QYVkaQBnc0
vEP1nXq6LGKwgVGcqJnkr/E2kui5gJoV5C3qll3eMYICYTCCAl0CAQEwgYUweTEt
MCsGA1UEAwwkRGV2ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYw
JAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwK
QXBwbGUgSW5jLjELMAkGA1UEBhMCVVMCCCdK9a7psn2QMAkGBSsOAwIaBQCggbEw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwMTEx
MTgxMDUwWjAjBgkqhkiG9w0BCQQxFgQUvqCmkSFwZTLWSNhIddUfdxBPQSswUgYJ
KoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE
ggEAQadtQ5qePkjvB3xqLeSvN3e6SpoGQGn6Oo57IiUs/9zP3LAziS2pLbOxSlrS
WWJ5byt7qHdxg9Hi+8IRK5ppps3TxX49ZtN9xHR0BQECspHhbad++JnLuCVjoW88
tgX6NylWb16xekpKA9D1xsLOaVlxFJry4S9k3wz53ajg7J83jlA5K1j9rcS8dVhZ
WjIl12I2AalQ//PXVyu1soF7ieKgyFKeOefGaAOT3ybji1ibYoPfsS/IdnBz7hbn
EmHUHDdl2R+TWDf0ADXMqV3qjMuG5osFRUJbeWm5CUne1/w2BdcIkmkvfmzU+Bmh
jixGT1Xg83O4e3LL4Bww0rRY6w==
-----END PKCS7-----

--001a113ccd8efabcfa05628d3346
Content-Type: application/vnd.oasis.opendocument.spreadsheet-template; 
	name="expire.txt.sig.ots"
Content-Disposition: attachment; filename="expire.txt.sig.ots"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_jcbgcwmd0

AE9wZW5UaW1lc3RhbXBzAABQcm9vZgC/ieLohOiSlAEITeD8FWBXd613LkHPt3JyrZBKamczrmmf
NLwSJohkYfDwEB35DezwYGb4KePty9TSWRcI//AQjTiBNRdo5I7oIeLjkGhQuAjxBFpXqSbwCN+N
8xIdwxQG/wCD3+MNLvkMji4taHR0cHM6Ly9hbGljZS5idGMuY2FsZW5kYXIub3BlbnRpbWVzdGFt
cHMub3JnCPEgijKAmyu82BuY9WL4Ags9TuzOph/XJBC6zUYZNW2Kv14I8SDyd3rD94qsLgkTPUlF
nA3SbabHilzJcHkrlGbYL+MaBgjxINCDuse4CSogHVUKQ9WaRrYkExs8PMx8O11OoVhj5ydJCPAg
y3ZstDNn/6b32WO12ZprF9zhb6VfGUl9spxU5k5eirgI8SBwa20AdPHR6oLcSdnogmPmUpWEd+n1
ky2dhWKvqZwJ/AjwIBYprQWyepSdvr1Ber0DD1eP66d4l1+138SZw7/fIflPCPAgTXOIKaeMbmNj
oO6Q/6SoX7ksCKOjkt284KYyI/ELaVgI8VkBAAAAAc1gOrgz+6mCizItuiE8bQ4foKYwCz0sB9lG
7gj/kK9fAAAAAAD9////Ag9aLAAAAAAAFgAU4gDd5F6wUprr6G4WBg+5sQkAi1YAAAAAAAAAACJq
IPAEuq8HAAgI8SAQbNEWckYQhxlLHC1aYxnyzHgxatOXQCOkQGgXe7CV7wgI8SDvEAaFSJ6unpLU
CvJzUpe2ISKMquT7kvQlvOam3SbgdggI8SBKKOTuNlh0TqP0wxy+BvCN8HgXFj/CQvJm/r9061dC
XggI8CBjdeDoADpZAb6CHjryDthP/BPcKVcMNiu+KAHIfgdDfAgI8CBuq4+F9RGpuGjFp7YU0WyH
mohtNWCv1oiDAvm6TAZeXAgI8CCI0tiLN7YMP2HtPKIm72bDi6OoFduzG0TQ1n7hEjEvvQgI8CBm
oIe62AVnwyFp6mZ37TuP0JsBHuazibGEgBKgB2xSTAgI8CDbi0srCkqentfGfk+HgBPLllDWN/mU
p4HsOQBoiDB3HwgI8SBpOitFwKhqpvNNL2SzSAxmCDIRpIpq+Kp5x774ovXexggI8SAtBMNMgP/r
L2MztJ9H43LYDRM3jGt8mbbG4Ji2+5z1rQgI8CAoVuz4NodKzCGU5c0hdBWon6T7TuMN5lA1IIOB
UF+5+QgIAAWIlg1z1xkBA7vfHvAQ5vjVlfmkli0Jsy9r6Zl5EAjxBFpXqSXwCGWEIRA/ovvQ/wCD
3+MNLvkMjiwraHR0cHM6Ly9ib2IuYnRjLmNhbGVuZGFyLm9wZW50aW1lc3RhbXBzLm9yZwjxIPEX
gnzr8J36EGTnlaF/N3bvWi0cmhlkt1b/TVIBZuCHCPEgKqjwAWBXRj1MC6oVZK6P7MBuaB5VnC+S
CpN4pfoQNJcI8CB166rXsYFaNJvQD0b6PvcK02KauHQ0G6h3dyO5NoLE1QjwIOXfM7LRnV2CFLYU
AC6uWB3K28jnM7chsxQiPXQvOmE/CPEgWmgM4iyrpd8Ip/Vs0bPeC1mdH/fgEOO+fLCR0Ae8OH0I
8CAebOJrI00jNjqWLJNxFLZaO4tY69kEKHx6AvrjoQqNzgjxWQEAAAABqY/4nDzgexnxwERsA6RG
QKS4pzagJAciBvkAbejv8mwAAAAAAP3///8CGrg4AAAAAAAWABQNuE08uA4/5oWDRYPWIW0HNrwS
ZgAAAAAAAAAAImog8AS2rwcACAjwIGQuGBXXZjCZPN527NmlDPNE7DY5jznNp8UauCoSRe3UCAjx
IPnKxEUG7HPVIm2RehYqhROpmLrZuPtr4MuMKoX+xTT1CAjwID9qxx7kHhzJrzDeZPXsvaCdQCX3
mVqkyBzlIG/Rz0TPCAjxIFHQruGgLpotZScpYu9Ou9EUmeqmizOmW77hqP04oN5/CAjwIKqKpmbK
V3weRNXWLDAWVcr0bXZndaq6th6b8dy5mjoeCAjwIA2RHHGChLN8t1f7rJJRowlLp1F3XLGD2kqK
k5M3K4c3CAjxIBwP3futX+WjxgkAS0d2TGxiyUoKMFT6bmG2o4zwmz/4CAjwIJmhwnqv64SuTiSQ
atRL1udPduUsJ6qevzrJiiuYaRuSCAjxINEU34ZeVioiqA4bBJJU8HMVlWdyYYXFnZRZ0lsKCJvc
CAjxIPjnINA1faJ/WYxuV0KSUceoHWd4EltavqltfDjTjQhcCAjwIOJixScSNRwwkg68C4HSMeRM
K5YKNh1phfaY3Du/0i68CAgABYiWDXPXGQEDt98e
--001a113ccd8efabcfa05628d3346--