Tag versions using git

[maximbaz]

Hey, I saw you take good care of updating versions in Cargo.toml, may I ask you to also tag them using git?

It should be as easy as running git tag 0.2.2 and git push --tags on the commit where you bumped the version.

If you use PGP, I can also tell you how to provide signatures, if not - nevermind, it's not a big deal 🙂

I simply cannot resist packaging this awesome tool for Arch Linux, more people should be able to discover it, and having git tags would allow me to make the package easier, and once it gains more popularity, later move from AUR to community repo.

Many thanks 🙂 I'll update you with the link to the package, so you can also put it in README if you like.

[Gskartwii]

Thanks! I will be adding tags to the past versions ASAP, signatures included.

I am excited about and flattered by your plans about packaging, and I will be sure to include the link in the README. (:

[maximbaz]

Haha cool, thanks 🙂 To be honest just the latest version would be enough 😉

For the signatures, here's what I usually recommend:

1. For transparency, put in README your key ID, something like below would be enough (it's my key in the example below):

Releases are signed with the following PGP key: `8053EB88879A68CB4873D32B011FDC52DA839335`

2. For packagers, signature of the .tar.gz file that Github generates is enough. This archive is reproducible and can be generated using the following git command:

git archive -o "teehee-<version>.tar.gz" --format tar.gz --prefix "teehee-<version>/" "<tag>"

For example:

git archive -o "teehee-0.2.2.tar.gz" --format tar.gz --prefix "teehee-0.2.2/" "v0.2.2"

This will make you a .tar.gz file (which is the same .tar.gz that Github generates when you push a tag), which you then sign with gpg --detach-sign and upload this signature alone to your github release.

.zip on the other hand is not reproducible (if you run this command, you will get a different file that Github generates, it's sadly not byte-to-byte equal), so I would suggest to just ignore .zip).

Let me know if you need any help! 🙂

[Gskartwii]

Hi, thanks for your advice! I've now created a tag and a GH release for the latest released version. If there's anything else I should take care of, let me know here.

[maximbaz]

Awesome! Could you please upload your public key to http://keys.gnupg.net/ ? It will then propagate to different servers, and gpg will be able to pull your key by its ID.

Also, for the signature, a conventional way is to also preserve the file extension before the signature, i.e. name the signature teehee-v0.2.2.tar.gz.sig instead of teehee-v0.2.2.sig 🙂

[Gskartwii]

Thanks, I've uploaded my public key to http://keys.gnupg.net/, and I've also fixed the signature filename on the GitHub release.

It is my first time using the keyserver. I was able to download back my public key from it using gpg from the command line, but the key didn't appear on the web interface when I searched for it using the hash.

[maximbaz]

It's perfect now! If you want to make an "Installation" section in README, you can put something like this:

The package for Arch Linux is available on [AUR](https://aur.archlinux.org/packages/teehee/)

Many thanks for your collaboration on this 😉

[Gskartwii]

Awesome! No problem and thank you too.

[maximbaz]

Hi @Gskartwii, I noticed that signature of 0.2.3 didn't match and after looking into it I saw that it's because when you generated the archive, even though the tag name starts with v, inside the archive you should not use v - in other words, the command should be like this to match what Github is doing:

git archive -o "teehee-v0.2.3.tar.gz" --format tar.gz --prefix "teehee-0.2.3/" "v0.2.3"

Would you be able to reupload the archive and signature please?

Thanks for the new release, by the way 😉

[Gskartwii]

Hi @maximbaz, good catch! I've updated the tarball and its signature on the GitHub release to match that command.

You're welcome! I hope the undo functionality will be useful to you, and feel free to report any bugs that you might come across.