Add a quick signing script to verify github releases #425
Conversation
| echo "Getting $TAG.zip" | ||
| curl -LOs "https://github.com/TokTok/c-toxcore/archive/$TAG.zip" | ||
| unzip -q "$TAG.zip" | ||
| cp -r "c-toxcore-$VERSION"/* . |
There was a problem hiding this comment.
This does not cover a modified online source were files are missing. The better solution is to compare both tar files via cmp:
NicoHood/GPGit@1862f79#diff-7a66bd62453af6c2a03d2b155a00662bR471
|
Instead of rewriting everything from scratch you could try my gpgit script. Feel free to give me feedback. It should cover all features with better error correction, more options and fancy output: |
|
@robinlinden (who does the releases): does gpgit solve your use case? Can it be made to solve your use case, or do we need this custom script? |
|
gpgit is probably better |
|
e0f's solution is more tailored towards our use-case. It covers creating a signature in the format we've used thus far ( NicoHood's solution recompresses the source as a .tar.xz file, adds a digest and signs the .tar.xz. No signatures for the existing archives GitHub likes to add. I'm not sure what solution we want to go with. I'm fine with either. I've been using e0f's script with some manual checks added thus far. |
|
@robinlinden You are not right. At least not anymore. My script does use the github .tar.gx releases, downloads them, verifies them and signs them. You can even upload them to github if you with. The (signature) username will not be included within the signature, but that is something you maybe want to manually change or add as comment. Normally it would be fine if one signs the source and all possible GPG keys should be published on the main Readme (full fingerprints please). This would also make it simpler to package new releases if a name was NOT used like this. Feel free to try gpgit in its new version again :) |
This script was created by @endoffile78 for uTox but it works for toxcore as well.
This change is