Closed graingert closed 6 years ago
@laurentj you can create slimerjs-$SLIMER_VERSION.zip.sha1 and slimerjs-$SLIMER_VERSION.zip.sha1.asc files if you want people to be able to verify just the checksum
what should contain these files ? Do you mean ".sha1" or "slimerjs.zip.sha1"?
out of interest, how does your CI work? Can you run on travis?
slimerjs-$SLIMER_VERSION.zip.sha1.asc files if you want people to be able to verify just the checksum
Well, they can already verify the checksum. What's wrong with the method I give on this page? (except the key which was not uploaded on pgp.mit.edu, thank you :-))
Note: I don't know very well all possibilites of gpg
out of interest, how does your CI work?
I have a Strider CD instance, that run simple bash scripts. One of them launches the buildpackage.sh and launches sha256sum on zip. Note that my CI doesn't launch unit tests (yes, this bad, but I need to upgrade my server in order to launch them in a secure way, in a docker container for instance...)
Can you run on travis?
This is not acceptable for me to build packages on travis and to download them (with signatures) to my server : I don't want to give an ssh access on my server to an external service to allow it to push packages. The only thing I could accept with travis is to launch unit tests. But I didn't find time yet to configure a travis script (contributions are welcomed ;-))
I just don't see the point in using shasum for only one file, it adds an extra layer of indirection. It would make sense if you were distributing multiple files on the other hand.
This is not acceptable for me to build packages on travis and to download them (with signatures) to my server : I don't want to give an ssh access on my server to an external service to allow it to push packages. The only thing I could accept with travis is to launch unit tests. But I didn't find time yet to configure a travis script (contributions are welcomed ;-))
Of course, I don't expect you to sign them on Travis! I just want to know what you run to generate the sigs etc.
For next releases, some .sha256 files will be generated containing only sha256 sum...
Currently it's not possible to check the signature of slimerjs
It should be possible to do:
However the .asc file is not a detached signature,
and the key DBC76C05 has not been uploaded to a keyserver.I found it on your website, and uploaded it to pgp.mit.edu.