Merge branch 'master' into testing-v25.12rc1

Author: enaples

.github/workflows/ci.yaml

@@ -235,6 +235,86 @@ jobs:
           ./configure --enable-debugbuild --enable-fuzzing --enable-address-sanitizer --enable-ub-sanitizer --disable-valgrind CC=clang
           uv run make -j $(nproc) check-fuzz
 
+  check-downgrade:
+    name: Check we can downgrade the node
+    runs-on: ubuntu-22.04
+    needs:
+      - compile
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - CFG: compile-gcc
+            TEST_DB_PROVIDER: sqlite3
+            TEST_NETWORK: regtest
+            VALGRIND: 1
+          - CFG: compile-gcc
+            TEST_DB_PROVIDER: postgres
+            TEST_NETWORK: regtest
+          - CFG: compile-gcc
+            TEST_DB_PROVIDER: sqlite3
+            TEST_NETWORK: liquid-regtest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Install dependencies
+        run: |
+          bash -x .github/scripts/setup.sh
+
+      - name: Install bitcoind
+        env:
+          TEST_NETWORK: ${{ matrix.TEST_NETWORK }}
+        run: .github/scripts/install-bitcoind.sh
+
+      - name: Download build
+        uses: actions/download-artifact@v4
+        with:
+          name: cln-${{ matrix.CFG }}.tar.bz2
+
+      - name: Unpack pre-built CLN
+        env:
+          CFG: ${{ matrix.CFG }}
+        run: |
+          tar -xaf cln-${CFG}.tar.bz2
+
+      - name: Fetch and unpack previous CLN
+        run: |
+          mkdir /tmp/old-cln
+          cd /tmp/old-cln
+          wget https://github.com/ElementsProject/lightning/releases/download/v25.09/clightning-v25.09-Ubuntu-22.04-amd64.tar.xz
+          tar -xaf clightning-v25.09-Ubuntu-22.04-amd64.tar.xz
+
+      - name: Switch network
+        if: ${{ matrix.TEST_NETWORK == 'liquid-regtest' }}
+        run: |
+          # Loading the network from config.vars rather than the envvar is a terrible idea...
+          sed -i 's/TEST_NETWORK=regtest/TEST_NETWORK=liquid-regtest/g' config.vars
+          cat config.vars
+
+      - name: Test
+        env:
+          SLOW_MACHINE: 1
+          PYTEST_PAR: 10
+          TEST_DEBUG: 1
+          TEST_DB_PROVIDER: ${{ matrix.TEST_DB_PROVIDER }}
+          TEST_NETWORK: ${{ matrix.TEST_NETWORK }}
+          LIGHTNINGD_POSTGRES_NO_VACUUM: 1
+          VALGRIND: ${{ matrix.VALGRIND }}
+          PREV_LIGHTNINGD: /tmp/old-cln/usr/bin/lightningd
+        run: |
+          env
+          cat config.vars
+          uv run eatmydata pytest tests/test_downgrade.py -vvv -n ${PYTEST_PAR} ${PYTEST_OPTS}
+
   integration:
     name: Test CLN ${{ matrix.name }}
     runs-on: ubuntu-22.04
@@ -627,6 +707,7 @@ jobs:
       - integration-valgrind
       - integration-sanitizers
       - min-btc-support
+      - check-downgrade
     if: ${{ always() }}
     steps:
       - name: Complete
@@ -638,6 +719,7 @@ jobs:
           SANITIZERS: ${{ needs['integration-sanitizers'].result }}
           DOCS: ${{ needs['update-docs-examples'].result }}
           BTC: ${{ needs['min-btc-support'].result }}
+          CHECK_DOWNGRADE: ${{ needs['check-downgrade'].result }}
         run: |
           failed=""
           for name in $JOB_NAMES; do

.github/workflows/release.yml

@@ -12,6 +12,13 @@ on:
       version:
         description: 'Release version'
         required: true
+      skip_validation:
+        description: Skip release validation for untagged commit testing
+        default: no
+        type: choice
+        options:
+          - yes
+          - no
       create_release:
         description: Create a draft release
         default: no
@@ -31,6 +38,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
+          fetch-depth: 0
 
       - name: Determine version
         run: |
@@ -46,6 +54,7 @@ jobs:
           echo "Determined version: $VERSION"
 
       - name: Validate release
+        if: github.event_name != 'workflow_dispatch' || github.event.inputs.skip_validation != 'yes'
         run: tools/check-release.sh --version=${VERSION}
 
       - name: Catpure version output
@@ -55,6 +64,8 @@ jobs:
   releases:
     name: Releases
     needs: check
+    env:
+      version: ${{ needs.check.outputs.version }}
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false    # Let each build finish.
@@ -67,6 +78,9 @@ jobs:
     steps:
       - name: Git checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
 
       - name: Build environment setup
         run: |
@@ -83,7 +97,13 @@ jobs:
         if: contains(matrix.target, 'Ubuntu')
 
       - name: Build release
-        run: tools/build-release.sh ${{ matrix.target }}
+        run: |
+          # Allow build release to execute if manually triggered for testing
+          if [ "${{ github.event_name }}" == "workflow_dispatch" && github.event.inputs.skip_validation == 'yes' ]; then
+            tools/build-release.sh ${{ matrix.target }} --force-version "${{ env.version }}" --force-unclean --force-mtime "$(date +%Y-%m-%d)"
+          else
+            tools/build-release.sh ${{ matrix.target }}
+          fi
 
       - name: Upload target artifacts
         uses: actions/upload-artifact@v4
@@ -119,6 +139,9 @@ jobs:
     steps:
       - name: Git checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
 
       - name: Download artifact
         uses: actions/download-artifact@v4
@@ -138,10 +161,7 @@ jobs:
         run: echo "default-key ${{ steps.gpg.outputs.keyid }}" >> ~/.gnupg/gpg.conf
 
       - name: Sign release
-        run: |
-          sudo apt-get install -y lowdown
-          ./configure
-          tools/build-release.sh --without-zip sign
+        run: tools/build-release.sh --without-zip sign
 
       - name: Upload signed artifact
         uses: actions/upload-artifact@v4

.version

@@ -1 +1 @@
-v25.12rc1
+v25.12rc3

CHANGELOG.md

@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [25.12rc1] - 2025-11-25: "Boltz's Seamless Upgrade Experience"
+## [25.12rc2] - 2025-11-28: "Boltz's Seamless Upgrade Experience"
 
 Release Candidate for Core Lightning v25.12
 
@@ -16,6 +16,7 @@ This release named by @sangbida
  - JSON-RPC: `fundchannel_complete` new parameter `withhold` for zero-conf channels (default false). ([#8546])
  - Plugins: `xpay` will now wait if it suspects a payment failure is due to a height disagreement with the final node. ([#8645])
  - Tools: `lightning-hsmtool` now supports hsm_secret files using a 12-word mnemonic. ([#8400])
+ - Tools: `lightningd-downgrade` can downgrade your database from v25.12 to v25.09 if something goes wrong. ([#8702])
  - JSON-RPC: `askrene-bias-node`: an RPC command to set a bias on node's outgoing or incoming channels. ([#8608])
  - JSON-RPC: `listpeerchannels` `funding` object `withheld` flag, and `listclosedchannels` `funding_withheld` flags, indicating fundchannel_complete was called with the `withheld` parameter true. ([#8546])
  - JSON-RPC: `psbt` field in `funding` in listpeerchannels, and `funding_psbt` in listclosedchannels. ([#8546])
@@ -58,9 +59,11 @@ Note: You should always set `allow-deprecated-apis=false` to test for changes.
 
 ### Fixed
 
+ - lightningd: we could miss tx spends which happened in the past blocks when we restarted. ([#8735])
  - lightningd: multiple significant speedups for large nodes, especially preventing "freezes" under exceptionally high load. ([#8677])
  - `xpay` will not try to send too many HTLCs through unknown channels (6, as that is Phoenix's limit) unless it has no choice ([#8537])
  - `xpay` fixed clash with simultaneous payments via routehints and blinded paths. ([#8685])
+ - `xpay`: error messages no longer incorrectly label intermediate channels as "the invoice's route hint". ([#8741])
  - JSON-RPC: `signpsbt` no longer crashes if asked to sign an already-signed PSBT with taproot paths. ([#8546])
  - Offers: require peers for blinded paths to have `option_onion_messages`, due to reports of LND not forwarding our blinded payments correctly. ([#8682])
  - Protocol: we now re-transmit unseen funding transactions on startup, for more robustness. ([#8546])
@@ -93,6 +96,10 @@ Note: You should always set `allow-deprecated-apis=false` to test for changes.
  - Splicing: Fixed crash when we splice a channel which hasn't been announced yet. ([#8555])
  - JSON-RPC: `cancelrecurringinvoice` command to send new "don't expect any more invoice requests" msg to recurring bolt12 invoices. ([#8398])
 
+
+[#8741]: https://github.com/ElementsProject/lightning/pull/8741
+[#8735]: https://github.com/ElementsProject/lightning/pull/8735
+[#8702]: https://github.com/ElementsProject/lightning/pull/8702
 [#8506]: https://github.com/ElementsProject/lightning/pull/8506
 [#8646]: https://github.com/ElementsProject/lightning/pull/8646
 [#8546]: https://github.com/ElementsProject/lightning/pull/8546
@@ -131,7 +138,7 @@ Note: You should always set `allow-deprecated-apis=false` to test for changes.
 [#8651]: https://github.com/ElementsProject/lightning/pull/8651
 [#8561]: https://github.com/ElementsProject/lightning/pull/8561
 [#8302]: https://github.com/ElementsProject/lightning/pull/8302
-[v25.12rc1]: https://github.com/ElementsProject/lightning/releases/tag/v25.12rc1
+[v25.12rc2]: https://github.com/ElementsProject/lightning/releases/tag/v25.12rc2
 
 
 ## [25.09.3] - 2025-11-06: "Hot Wallet Guardian IV"

Makefile

@@ -9,6 +9,9 @@ $(info Building version $(VERSION))
 # Next release.
 CLN_NEXT_VERSION := v25.12
 
+# Previous release (for downgrade testing)
+CLN_PREV_VERSION := v25.09
+
 # --quiet / -s means quiet, dammit!
 ifeq ($(findstring s,$(word 1, $(MAKEFLAGS))),s)
 ECHO := :
@@ -552,8 +555,8 @@ CHECK_BOLT_PREFIX=--prefix="BOLT-$(BOLTVERSION)"
 endif
 
 # Any mention of BOLT# must be followed by an exact quote, modulo whitespace.
-bolt-check/%: % bolt-precheck tools/check-bolt
-	@if [ -d .tmp.lightningrfc ]; then tools/check-bolt $(CHECK_BOLT_PREFIX) .tmp.lightningrfc $<; else echo "Not checking BOLTs: BOLTDIR $(BOLTDIR) does not exist" >&2; fi
+bolt-check/%: % bolt-precheck devtools/check-bolt
+	@if [ -d .tmp.lightningrfc ]; then devtools/check-bolt $(CHECK_BOLT_PREFIX) .tmp.lightningrfc $<; else echo "Not checking BOLTs: BOLTDIR $(BOLTDIR) does not exist" >&2; fi
 
 LOCAL_BOLTDIR=.tmp.lightningrfc
 
@@ -565,7 +568,7 @@ check-source-bolt: $(ALL_NONGEN_SRCFILES:%=bolt-check/%)
 check-whitespace/%: %
 	@if grep -Hn '[ 	]$$' $<; then echo Extraneous whitespace found >&2; exit 1; fi
 
-check-whitespace: check-whitespace/Makefile check-whitespace/tools/check-bolt.c $(ALL_NONGEN_SRCFILES:%=check-whitespace/%)
+check-whitespace: check-whitespace/Makefile check-whitespace/devtools/check-bolt.c $(ALL_NONGEN_SRCFILES:%=check-whitespace/%)
 
 check-spelling:
 	@tools/check-spelling.sh
@@ -934,8 +937,7 @@ TESTBINS = \
 	$(CLN_PLUGIN_EXAMPLES) \
 	tests/plugins/test_libplugin \
 	tests/plugins/channeld_fakenet \
-	tests/plugins/test_selfdisable_after_getmanifest \
-	tools/hsmtool
+	tests/plugins/test_selfdisable_after_getmanifest
 
 # The testpack is used in CI to transfer built artefacts between the
 # build and the test phase. This is necessary because the fixtures in
@@ -944,7 +946,7 @@ TESTBINS = \
 # version of `lightningd` leading to bogus results. We bundle up all
 # built artefacts here, and will unpack them on the tester (overlaying
 # on top of the checked out repo as if we had just built it in place).
-testpack.tar.bz2: $(BIN_PROGRAMS) $(PKGLIBEXEC_PROGRAMS) $(PLUGINS) $(PY_PLUGINS) $(MAN1PAGES) $(MAN5PAGES) $(MAN7PAGES) $(MAN8PAGES) $(DOC_DATA) config.vars $(TESTBINS) $(DEVTOOLS)
+testpack.tar.bz2: $(BIN_PROGRAMS) $(PKGLIBEXEC_PROGRAMS) $(PLUGINS) $(PY_PLUGINS) $(MAN1PAGES) $(MAN5PAGES) $(MAN7PAGES) $(MAN8PAGES) $(DOC_DATA) config.vars $(TESTBINS) $(DEVTOOLS) $(TOOLS)
 	tar -caf $@ $^
 
 uninstall:

README.md

@@ -11,7 +11,7 @@ Core Lightning (previously c-lightning) is a lightweight, highly customizable an
 	* [Sending and Receiving Payments](#sending-and-receiving-payments)
 	* [Configuration File](#configuration-file)
 * [Further Information](#further-information)
-    * [FAQ](doc/FAQ.md)
+    * [FAQ](doc/node-operators-guide/faq.md)
     * [Pruning](#pruning)
     * [HD wallet encryption](#hd-wallet-encryption)
 	* [Developers](#developers)
@@ -198,7 +198,7 @@ If the two blockheights drift apart it might be necessary to intervene.
 
 ### HD wallet encryption
 
-You can encrypt the `hsm_secret` content (which is used to derive the HD wallet's master key) by passing the `--encrypted-hsm` startup argument, or by using the `hsmtool` (which you can find in the `tool/` directory at the root of this repo) with the `encrypt` method. You can unencrypt an encrypted `hsm_secret` using the `hsmtool` with the `decrypt` method.
+You can encrypt the `hsm_secret` content (which is used to derive the HD wallet's master key) by passing the `--encrypted-hsm` startup argument, or by using the `lightning-hsmtool` (which you can find in the `tool/` directory at the root of this repo) with the `encrypt` method. You can unencrypt an encrypted `hsm_secret` using the `lightning-hsmtool` with the `decrypt` method.
 
 If you encrypt your `hsm_secret`, you will have to pass the `--encrypted-hsm` startup option to `lightningd`. Once your `hsm_secret` is encrypted, you __will not__ be able to access your funds without your password, so please beware with your password management. Also, beware of not feeling too safe with an encrypted `hsm_secret`: unlike for `bitcoind` where the wallet encryption can restrict the usage of some RPC command, `lightningd` always needs to access keys from the wallet which is thus __not locked__ (yet), even with an encrypted BIP32 master seed.
 

connectd/multiplex.c

@@ -1280,9 +1280,17 @@ static struct io_plan *read_body_from_peer_done(struct io_conn *peer_conn,
 		* more verbose: hang up on error. */
 	       if (type == WIRE_ERROR || type == WIRE_WARNING) {
 		       char *desc = sanitize_error(tmpctx, decrypted, NULL);
-		       status_peer_info(&peer->id,
-					"Received %s: %s",
-					peer_wire_name(type), desc);
+		       /* FIXME: We should check old gossip, since we get many of
+			* these "no unspent txout" for closed channels which we
+			* somehow missed. */
+		       if (strstr(desc, "no unspent txout"))
+			       status_peer_debug(&peer->id,
+						 "Received %s: %s",
+						 peer_wire_name(type), desc);
+		       else
+			       status_peer_info(&peer->id,
+						"Received %s: %s",
+						peer_wire_name(type), desc);
 		       if (type == WIRE_WARNING)
 			       return next_read(peer_conn, peer);
 		       return io_close(peer_conn);

contrib/keys/litecoin/davidburkett.gpg

@@ -7472,7 +7472,7 @@
               "Value to be decoded:",
               "    * a *bolt11* or *bolt12* string (optionally prefixed by `lightning:` or `LIGHTNING:`) as specified by the BOLT 11 and BOLT 12 specifications.",
               "    * a *rune* as created by lightning-commando-rune(7).",
-              "    * an *emergency_recover* string generated by hsmtool like `lightning-hsmtool getemergencyrecover <path/to/emergency.recover>`. It holds `emergency.recover` contents and starts with `clnemerg1`."
+              "    * an *emergency_recover* string generated by lightning-hsmtool like `lightning-hsmtool getemergencyrecover <path/to/emergency.recover>`. It holds `emergency.recover` contents and starts with `clnemerg1`."
             ]
           }
         }
@@ -30511,7 +30511,7 @@
       "description": [
         "The **recover** RPC command wipes your node and restarts it with the `--recover` option. This is only permitted if the node is unused: no channels, no bitcoin addresses issued (you can use `check` to see if recovery is possible).",
         "",
-        "*hsmsecret* is either a codex32 secret starting with \"cl1\" as returned by `hsmtool getcodexsecret`, or a raw 64 character hex string.",
+        "*hsmsecret* is either a codex32 secret starting with \"cl1\" as returned by `lightning-hsmtool getcodexsecret`, or a raw 64 character hex string.",
         "",
         "NOTE: this command only currently works with the `sqlite3` database backend."
       ],
@@ -30524,7 +30524,7 @@
           "hsmsecret": {
             "type": "string",
             "description": [
-              "Either a codex32 secret starting with `cl1` as returned by `hsmtool getcodexsecret`, or a raw 64 character hex string."
+              "Either a codex32 secret starting with `cl1` as returned by `lightning-hsmtool getcodexsecret`, or a raw 64 character hex string."
             ]
           }
         }

contrib/msggen/msggen/schema.json

@@ -4,7 +4,7 @@
 from .gossmapstats import GossmapStats
 from .version import NodeVersion
 
-__version__ = "v25.12rc1"
+__version__ = "v25.12rc3"
 
 __all__ = [
     "LightningRpc",