Closed nateonthenet closed 5 years ago
iFoggz
commented
7 years ago I believe @gridcoin was checking why the HTTPS was not working on the subdomain. This was mentioned here as well :+1: https://github.com/gridcoin/Gridcoin-Research/issues/194#issuecomment-306079749
pls2000
commented
7 years ago There is a request elsewhere to code sign the gridcoin exe and the installation package. That would solve a large part of this problem.
tomasbrod
commented
7 years ago Alternatives (from easiest)
Step 1 provides only marginal security, but is very easy to setup. Step 4 HTTPS does not provide any additional security in my view, Rob has problems setting it up, but it is praised by some. Step 5 requires more to setup, but @TheCharlatan is interested. I have some pgp (GPG) know-how and am willing to share it.
TheCharlatan
commented
7 years ago If anyone wants to join the effort, I am trying to port bitcoin's entire build system, which includes gitian, autoconf and some capabilities to quickly adapt to new tests and code. I push my changes to the gitian branch on my fork.
denravonska
commented
7 years ago @TheCharlatan What's the status of this? Does it build right now?
TheCharlatan
commented
7 years ago It is probably a week's worth of work away from building.
Edit: Scratch that, maybe the daemon will compile in another week or so.
gridcoin
commented
7 years ago Sweet. I downloaded the gitian builder and tested it and I see its virtiual machine builds an installer for Windows and OSX. I see the value in it, but its also a very slow build process so we still need the build scripts for windows in order to quickly debug.
denravonska
commented
7 years ago @gridcoin Is it slow for subsequent builds as well or is it a one-time thing when building the dependencies?
TheCharlatan
commented
7 years ago Gitian is meant for the release build only. If done correctly you download and compile all the dependencies yourself and then sign and upload your build. This is done in a deterministic way for every plattform and offers a tamper proof software distribution model. Its first setup takes some time, to setup the vm and the configs, but once that is done, you can just run the build script. It takes some time to execute, but it does not need any monitoring. You can and should use autoconf/qmake/visual studio etc. for non official builds, debugging, or if you anyway build the source yourself.
gridcoin
commented
7 years ago @denravonska Its extremely slow for subsequent builds as well (were talking about 4 hours for a build on a modern 8 core machine). Its because of what Charlatan said, each time the build starts, its tamper proof so it pulls the dependencies, upgrades the virtual machine, and rebuilds the code with -clean, so that ensure everyone who is testing the code is also testing with the same lib versions. Its valuable for releases, but not for debugging. It builds in a trusty VM against a different processor architecture. The main thing I like about it is the signed installer, allowing the end user to reinstall windows EXE overtop the old version for an alternative way to upgrade the software.
We would need to maintain an automake environment to building and debug natively.
tomasbrod
commented
7 years ago Having gitian working somewhere will be great, but signing the released binaries (all) by admin's pgp key is good enough. For gitian builds, after it is setup and took it's four hours, multikey signature should be created.
For build scripts: Please consider that there is already qmake set up for makefile generation. I advise against autotools (automake), as it is quite old, does lot's of unneeded detection, uses m4 macro processor and has really hard to read input file. When I see autotools buld, I always edit the generated makeifle directly as it is easier for me to understand. I recommend using some modern, like CMake, Scons or even keeping the qmake and extending it for nogui.
Nantris
commented
6 years ago Can we get an update on this please?
Peppernrino
commented
6 years ago Yeah, not sure why this issue was closed... we don't have digital signing yet.
iFoggz
commented
6 years ago msi's are release with a sha256 and u can download via https
iFoggz
commented
6 years ago @barton2526 mentioned providing that detail file with the msi download section
iFoggz
commented
6 years ago @barton2526 what is the status on this? the GridcoinResearch.msi.sha25 is available for download. could u provide some kind of small link or something to that area so a user can pull that to verify the msi so we can move to close this. HTTPS is available now so would like to push to close this old issue
barton2526
commented
6 years ago I'll put this in my web PR today. Will link when it's done.
barton2526
commented
6 years ago https://github.com/gridcoin-community/Gridcoin-Site/pull/112
This issue can be closed now I think.
iFoggz
commented
6 years ago yes this can be closed. thank you @barton2526
RoboticMind
commented
5 years ago @denravonska Can you close this
The current source at http://download.gridcoin.us/download/downloadstake/GridcoinResearch.msi is HTTP-only and some users have expressed a desire for a HTTPS-based source and/or a checksum for the current binaries. I realize HTTPS doesn't add much from a technical perspective, but image-wise it would be good, and the checksums are actually a good idea to assure downloaders that the binaries haven't been tampered with.