Tagged v1.15.0 Release Missing Signature

qTox / qTox

qTox is a chat, voice, video, and file transfer IM client using the encrypted peer-to-peer Tox protocol.

https://qtox.github.io/

GNU General Public License v3.0

4.75k stars 1.05k forks source link

Tagged v1.15.0 Release Missing Signature #5125

Closed quantumpacket closed 6 years ago

quantumpacket commented 6 years ago

My automated build script failed during git tag verification due to the latest release missing a signature. :cry:

$ git tag --verify v1.15.0 object 02d6c63acaac0ae95fa8be3a1b9301657e6a4a94 type commit tag v1.15.0 tagger Anthony Bilinski me@abilinski.com 1524171597 -0700

qTox v1.15.0 release. For details see CHANGELOG.md. error: no signature found

anthonybilinski commented 6 years ago

Confirmed:

git tag -v v1.15.0
object 02d6c63acaac0ae95fa8be3a1b9301657e6a4a94
type commit
tag v1.15.0
tagger Anthony Bilinski <me@abilinski.com> 1524171597 -0700

qTox v1.15.0 release. For details see CHANGELOG.md.
error: no signature found

I must have dropped the signature when moving the release tag for the hotfix from 3c15cd2b10dc084416ead98eb9c270578642d436 to 02d6c63acaac0ae95fa8be3a1b9301657e6a4a94 right after pushing the first tag =/

I can sign a new tag and overwrite the current one in the same place which will update our download artifacts. Does this sound like it would break anything (@sudden6 @Diadlo)?

sudden6 commented 6 years ago

@anthonybilinski I don't think that's the best idea, because the release is out for pretty long time. Maybe create a v1.15.1 tag and release?

anthonybilinski commented 6 years ago

I'm fine either way, but since we wouldn't be changing the git commit or any files, does it matter that v1.15.0 has been out a while? If none of our build artifacts change hash and all that's changed is adding a signature to the tag, then IMO a new release isn't required. I'll test locally and make sure changing the tag does indeed not change artifact hashes. Does anyone object and think v1.15.1 is required?

sudden6 commented 6 years ago

ok for me

anthonybilinski commented 6 years ago

Testing locally, it looks like signing and replacing the tag doesn't change 1) qtox hash of linux build 2) tarball hash

but both 1) appImage 2) windows cross compile

change hashes every build. Since hash of non-signed artifacts was enough to create issue in https://github.com/qTox/qTox/issues/5140, and new build artifacts will probably be triggered since we would be pushing a new tag, I think making a v1.15.1 release is required. If we're going to go through release work-flow, might as well include some bug fixes in the patch release, I think.

quantumpacket commented 6 years ago

Is there a step in the release process to verify signatures are present and valid before releasing? So to avoid accidental unverified releases in the future. :)

anthonybilinski commented 6 years ago

Apparently not, but I agree there should be. I'll look into that as part of this release.

tox-user commented 6 years ago

Does anyone object and think v1.15.1 is required?

Audio group chats don't work and there have been a few important bug fixes that we could include.

tox-user commented 6 years ago

It's not necessary to have 1.15.1, but I think we should release this month.

quantumpacket commented 6 years ago

closing as newer releases available