Merge branch 'spesmilo:master' into master

Author: bnetsera92-stack

.cirrus.yml

@@ -243,6 +243,29 @@ task:
   main_script:
     - contrib/ban_unicode.py
 
+task:
+  name: "security review: Claude Code"
+  # NOTE: claude has access to all API keys available in the Cirrus CI environment.
+  # If we would add some critical api keys in here we should consider this.
+  matrix:
+    - trigger_type: automatic
+      only_if: $CIRRUS_PR != '' && ($CIRRUS_USER_PERMISSION == 'write' || $CIRRUS_USER_PERMISSION == 'admin')
+    - trigger_type: manual
+      only_if: $CIRRUS_PR != '' && !($CIRRUS_USER_PERMISSION == 'write' || $CIRRUS_USER_PERMISSION == 'admin')
+  container:
+    image: node:20
+    cpu: 1
+    memory: 2G
+  # CLAUDE_CODE_OAUTH_TOKEN is set as an encrypted "override" in https://cirrus-ci.com/settings/...
+  # It must be stored encrypted (ENCRYPTED[...]) so Cirrus CI refuses to decrypt it for
+  # fork PRs from users without write permission.
+  # Generate with: claude setup-token
+  # Optional: set GITHUB_TOKEN to enable PR comments on failure
+  install_script:
+    - npm install -g @anthropic-ai/claude-code
+  review_script:
+    - python3 contrib/ci/claude_security_review.py
+
 # Cron jobs configured in https://cirrus-ci.com/settings/...
 # - job "nightly" on branch "master" at "0 30 2 * * ?"  (every day at 02:30Z)
 task:

contrib/build-linux/sdist/README.md

@@ -53,5 +53,3 @@ The differences are as follows:
 - the normal tarball includes compiled (.mo) locale files, the source-only tarball does not.
   Both tarballs contain (.po) source locale files. If you are packaging for a Linux distro,
   you probably want to compile the .mo locale files yourself (see `contrib/locale/build_locale.sh`).
-- the normal tarball includes generated `*_pb2.py` files. These are created
-  using `protobuf-compiler` from `.proto` files (see `contrib/generate_payreqpb2.sh`)

contrib/build-linux/sdist/make_sdist.sh

@@ -35,11 +35,6 @@ info "preparing electrum-locale."
     fi
 )
 
-if ([ "$OMIT_UNCLEAN_FILES" = 1 ]); then
-    # FIXME side-effecting repo... though in practice, this script probably runs in fresh_clone
-    rm -f "$PROJECT_ROOT/electrum/paymentrequest_pb2.py"
-fi
-
 (
     cd "$PROJECT_ROOT"
 

contrib/build-wine/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bookworm@sha256:b37bc259c67238d814516548c17ad912f26c3eed48dd9bb54893eafec8739c89
+FROM debian:trixie@sha256:13f29b6806e531c3ff3b565bb6eed73f2132506c8c9d41bb996065ca20fb27f2
 
 # need ca-certificates before using snapshot packages
 RUN apt update -qq > /dev/null && apt install -qq --yes --no-install-recommends \
@@ -14,14 +14,16 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN dpkg --add-architecture i386 && \
     apt-get update -q && \
     apt-get install -qy --allow-downgrades \
+        lsb-release \
         wget \
         gnupg2 \
         dirmngr \
-        python3-software-properties \
-        software-properties-common \
+        python3 \
         git \
         p7zip-full \
         make \
+        cmake \
+        pkgconf \
         mingw-w64 \
         mingw-w64-tools \
         autotools-dev \
@@ -37,7 +39,7 @@ RUN dpkg --add-architecture i386 && \
     apt-get clean
 
 RUN DEBIAN_CODENAME=$(lsb_release --codename --short) && \
-    WINEVERSION="10.0.0.0~${DEBIAN_CODENAME}-1" && \
+    WINEVERSION="11.0.0.0~${DEBIAN_CODENAME}-1" && \
     wget -nc https://dl.winehq.org/wine-builds/winehq.key && \
         echo "d965d646defe94b3dfba6d5b4406900ac6c81065428bf9d9303ad7a72ee8d1b8 winehq.key" | sha256sum -c - && \
         cat winehq.key | gpg --dearmor -o /etc/apt/keyrings/winehq.gpg && \
@@ -49,8 +51,6 @@ RUN DEBIAN_CODENAME=$(lsb_release --codename --short) && \
         wine-stable-i386:i386=${WINEVERSION} \
         wine-stable:amd64=${WINEVERSION} \
         winehq-stable:amd64=${WINEVERSION} \
-        libvkd3d1:amd64=1.3~${DEBIAN_CODENAME}-1 \
-        libvkd3d1:i386=1.3~${DEBIAN_CODENAME}-1 \
         && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get autoremove -y && \

contrib/build-wine/apt.sources.list

@@ -1,2 +1,2 @@
-deb https://snapshot.debian.org/archive/debian/20250530T143637Z/ bookworm main
-deb-src https://snapshot.debian.org/archive/debian/20250530T143637Z/ bookworm main
+deb https://snapshot.debian.org/archive/debian/20260227T144551Z/ trixie main
+deb-src https://snapshot.debian.org/archive/debian/20260227T144551Z/ trixie main

contrib/build-wine/make_win.sh

@@ -53,28 +53,34 @@ if [ -f "$DLL_TARGET_DIR/libzbar-0.dll" ]; then
     info "libzbar already built, skipping"
 else
     (
-        # As debian bullseye doesn't provide win-iconv-mingw-w64-dev, we need to build it:
-        WIN_ICONV_COMMIT="9f98392dfecadffd62572e73e9aba878e03496c4"
-        # ^ tag "v0.0.8"
-        info "Building win-iconv..."
-        cd "$CACHEDIR"
-        if [ ! -d win-iconv ]; then
-            git clone https://github.com/win-iconv/win-iconv.git
-        fi
-        cd win-iconv
-        if ! $(git cat-file -e ${WIN_ICONV_COMMIT}) ; then
-            info "Could not find requested version $WIN_ICONV_COMMIT in local clone; fetching..."
-            git fetch --all
-        fi
-        git reset --hard
-        git clean -dfxq
-        git checkout "${WIN_ICONV_COMMIT}^{commit}"
-
-        # note: "-j1" as parallel jobs lead to non-reproducibility seemingly due to ordering issues
-        #       see https://github.com/win-iconv/win-iconv/issues/42
-        CC="${GCC_TRIPLET_HOST}-gcc" make -j1 || fail "Could not build win-iconv"
+        # iconv is needed for zbar. see https://github.com/mchehab/zbar/blob/a549566ea11eb03622bd4458a1728ffe3f589163/README-windows.md
+        # (previously were using win-iconv, but changed to GNU libiconv due to compilation errors with modern gcc)
+        LIBICONV_VER="1.18"
+        download_if_not_exist "$CACHEDIR/libiconv-${LIBICONV_VER}.tar.gz" "https://ftp.gnu.org/pub/gnu/libiconv/libiconv-${LIBICONV_VER}.tar.gz"
+        verify_hash "$CACHEDIR/libiconv-${LIBICONV_VER}.tar.gz" "3b08f5f4f9b4eb82f151a7040bfd6fe6c6fb922efe4b1659c66ea933276965e8"
+        tar xf "$CACHEDIR/libiconv-${LIBICONV_VER}.tar.gz" -C "$CACHEDIR"
+        # ref https://github.com/msys2/MINGW-packages/blob/7f68e9f2488737bbe03888ade094eaee8021d1c5/mingw-w64-libiconv/PKGBUILD
+        info "Building libiconv..."
+        cd "$CACHEDIR/libiconv-${LIBICONV_VER}"
+        # Patches taken from msys2/MINGW-packages
+        patch -p1 < "$here/patches/libiconv-fix-pointer-buf.patch"
+        ./configure \
+            $AUTOCONF_FLAGS \
+            --prefix="/usr/${GCC_TRIPLET_HOST}" \
+            --disable-static \
+            --enable-shared \
+            --enable-extra-encodings \
+            --enable-relocatable \
+            --disable-rpath \
+            --enable-silent-rules \
+            --enable-nls
+        CC="${GCC_TRIPLET_HOST}-gcc" make "-j$CPU_COUNT" || fail "Could not build libiconv"
+        cp -fpv "libcharset/lib/.libs/libcharset-1.dll" "$DLL_TARGET_DIR/" || fail "Could not copy the libcharset binary to DLL_TARGET_DIR"
+        cp -fpv "lib/.libs/libiconv-2.dll" "$DLL_TARGET_DIR/" || fail "Could not copy the libiconv binary to DLL_TARGET_DIR"
         # FIXME avoid using sudo
-        sudo make install prefix="/usr/${GCC_TRIPLET_HOST}"  || fail "Could not install win-iconv"
+        sudo make install  || fail "Could not install libiconv"
+        # workaround to delete files owned by root, created by "make install":
+        make clean
     )
     "$CONTRIB"/make_zbar.sh || fail "Could not build zbar"
 fi

contrib/build-wine/patches/libiconv-fix-pointer-buf.patch

@@ -0,0 +1,37 @@
+--- a/lib/iconv.c	2018-05-03 23:18:55.997221700 -0400
++++ b/lib/iconv.c	2018-05-03 23:26:47.611682700 -0400
+@@ -170,12 +170,12 @@ static const struct stringpool2_t string
+ #include "aliases2.h"
+ #undef S
+ };
+ #define stringpool2 ((const char *) &stringpool2_contents)
+ static const struct alias sysdep_aliases[] = {
+-#define S(tag,name,encoding_index) { (int)(long)&((struct stringpool2_t *)0)->stringpool_##tag, encoding_index },
++#define S(tag,name,encoding_index) { (int)(intptr_t)&((struct stringpool2_t *)0)->stringpool_##tag, encoding_index },
+ #include "aliases2.h"
+ #undef S
+ };
+ #ifdef __GNUC__
+ __inline
+ #else
+--- a/lib/genaliases.c	2023-01-14 00:00:00.000000000 +0000
++++ b/lib/genaliases.c	2023-01-14 10:18:00.000000000 +0000
+@@ -50,7 +50,7 @@
+       putc(c, out2);
+     }
+   }
+-  fprintf(out2,"\")' tmp.h | sed -e 's|^.*\\(stringpool_str[0-9]*\\).*$|  (int)(long)\\&((struct stringpool_t *)0)->\\1,|'\n");
++  fprintf(out2,"\")' tmp.h | sed -e 's|^.*\\(stringpool_str[0-9]*\\).*$|  (int)(intptr_t)\\&((struct stringpool_t *)0)->\\1,|'\n");
+   for (; n > 0; names++, n--)
+     emit_alias(out1, *names, c_name);
+ }
+--- a/lib/genaliases2.c	2023-01-14 00:00:00.000000000 +0000
++++ b/lib/genaliases2.c	2023-01-14 10:18:00.000000000 +0000
+@@ -44,6 +44,6 @@
+ static void emit_encoding (FILE* out1, FILE* out2, const char* tag, const char* const* names, size_t n, const char* c_name)
+ {
+-  fprintf(out2,"  (int)(long)&((struct stringpool2_t *)0)->stringpool_%s_%u,\n",tag,counter);
++  fprintf(out2,"  (int)(intptr_t)&((struct stringpool2_t *)0)->stringpool_%s_%u,\n",tag,counter);
+   for (; n > 0; names++, n--)
+     emit_alias(out1, tag, *names, c_name);
+ }

contrib/build-wine/prepare-wine.sh

@@ -53,9 +53,7 @@ $WINE_PYTHON -m pip install --no-build-isolation --no-dependencies --no-binary :
 
 
 # copy already built DLLs
-cp "$DLL_TARGET_DIR"/libsecp256k1-*.dll $WINEPREFIX/drive_c/electrum/electrum/ || fail "Could not copy libsecp to its destination"
-cp "$DLL_TARGET_DIR/libzbar-0.dll" $WINEPREFIX/drive_c/electrum/electrum/ || fail "Could not copy libzbar to its destination"
-cp "$DLL_TARGET_DIR/libusb-1.0.dll" $WINEPREFIX/drive_c/electrum/electrum/ || fail "Could not copy libusb to its destination"
+cp "$DLL_TARGET_DIR"/*.dll "$WINEPREFIX/drive_c/electrum/electrum/" || fail "Could not copy DLLs to destination"
 
 
 info "Building PyInstaller."