Closed seberm closed 1 year ago
So do we need to release binaries and sign them, right?
You can also release binaries and sign them, but more important to nix-bitcoin/nix projects is to sign the source code itself. These projects do not use ready-made binaries, everything is compiled from source.
You have basically two options:
1) Generate the checksums of released tar archives and sign this checksum file. You can take the clightning project as an example:
2) Or, and I think this is the best approach, you can sign all the (future) commits and tags in this repository.
@seberm thanks for taking the time to add rust-teos
into nix-bitcoin. I'll make sure to add the signatures for v0.1.2 onwards if that makes sense.
@seberm I took a look at this and we are already signing all commits. I guess the only missing part may be to publish the GPG pubkey to the keyservers.
PS: I just added them. Let me know if there is anything else missing.
Hello @sr-gi , right now I can see that only commits from @meryacine are signed (e.g. https://github.com/talaia-labs/rust-teos/commit/f0f987933893a12c7a670058d83e895fd0cac452) . Is there a commit of yours which is already signed by your key?
It would be also great if you could also sign a tag as soon as you create one using:
git tag -s v0.1.2 -m '<your tag message>'
More info: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
Thanks!
Oh, my bad, looks like it was GH signing this on my behalf with the GPG key I had uploaded here. I enabled client-side signing for my last commit: https://github.com/talaia-labs/rust-teos/pull/122/commits/391252386522f1e250e74f283a949e66bdd93275
Great! Everything seems fine, I think we are good to go with v0.1.2 :). Just please do not forget to also sign a tag.
Great. I'll wait to close this until the tag is created (that should be after the last issue in https://github.com/talaia-labs/rust-teos/milestone/1 gets fixed).
@seberm v0.1.2
got its first RC, in case you want to test that the sigs are correct.
https://github.com/talaia-labs/rust-teos/releases/tag/v0.1.2-rc1
Hello @sr-gi , everything seems fine :)
./get-sha256.sh
warning: Git tree '/home/user/Repos/nix-bitcoin' is dirty
Fetching latest release
Latest release is v0.1.2-rc1
Fetching Sergi Delgado Segura's key
Verifying latest release
gpg: Signature made Tue Sep 20 15:20:37 2022 CEST
gpg: using EDDSA key C1EC813BB179E3EAEDDB216E35DDB7126CCB7618
gpg: Good signature from "Sergi Delgado Segura <sergi.delgado.s@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C1EC 813B B179 E3EA EDDB 216E 35DD B712 6CCB 7618
tag: v0.1.2-rc1
sha256: 0ilrpi6a5w5f3wawilkgqdkf3b7sjq9s40205gj7p3s04ps00n0
I just released v0.1.2
.
https://github.com/talaia-labs/rust-teos/releases/tag/v0.1.2
Hello, I am working on integrating rust-teos into a nix-bitcoin project:
The nix-bitcoin uses a signature checking for all package releases. I have not found any signatures for rust-teos. Could you please add signatures? This would remove Github as a trusted party for distributing rust-teos.
For more info, please see:
Thanks!