ci: Report reproducible release SHASUMS on Travis

bwt-dev · Sep 22, 2020 · 72cfb45 · 72cfb45
1 parent e992262
commit 72cfb45
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,3 +10,11 @@ script:
   - ./scripts/check.sh
   - cargo clippy --all-targets --all-features
   - ./test/tests.sh
+
+  # Report reproducible builds shasums
+  - >
+    docker build -t bwt-builder -f scripts/builder.Dockerfile . &&
+    docker run -v `pwd`:/usr/src/bwt bwt-builder &&
+    echo '-----BEGIN SHA256SUM-----' &&
+    (cd dist && sha256sum *) | sort &&
+    echo ''
diff --git a/README.md b/README.md
@@ -1204,6 +1204,17 @@ $ docker run -it --rm -v `pwd`:/usr/src/bwt bwt-builder
 $ sha256sum dist/*
 ```
 
+The builds are [reproduced on Travis CI](https://travis-ci.org/github/shesek/bwt). The SHA256 checksums are available at the end of the build log.
+
+You can get the checksums for the latest stable release via the API as follows:
+
+```bash
+$ jobid=$(curl -s 'https://api.travis-ci.org/v3/repo/shesek%2Fbwt/builds?branch.name=stable&sort_by=started_at:desc&limit=1' | jq -r '.builds[0].jobs[0].id')
+$ curl -s https://api.travis-ci.org/v3/job/$jobid/log.txt | sed -nr '/^-----BEGIN SHA256SUM-----\s*$/{:a;n;/^\s*$/q;p;ba}'
+```
+
+> Verifying the checksums against the CI is highly recommended.
+
 ## Thanks
 
 - [@romanz](https://github.com/romanz)'s [electrs](https://github.com/romanz/electrs) for the fantastic electrum server implementation that bwt is based on.

diff --git a/scripts/release-footer.md b/scripts/release-footer.md
@@ -22,7 +22,11 @@ You should see `Good signature from "Nadav Ivgi <nadav@shesek.info>" ... Primary
 
 #### Reproducible builds
 
-The builds are fully reproducible. See [more details here](https://github.com/shesek/bwt#reproducible-builds).
+The builds are fully reproducible.
+
+You can verify the checksums against [the builds made on Travis CI](https://travis-ci.org/github/shesek/bwt) -- **doing so is highly recommended!**
+
+See [more details here](https://github.com/shesek/bwt#reproducible-builds).
 
 #### Electrum plugin
 

diff --git a/scripts/release.sh b/scripts/release.sh
@@ -44,7 +44,7 @@ if [ -z "$SKIP_BUILD" ]; then
   fi
 
   echo Making SHA256SUMS...
-  (cd dist && sha256sum *) | gpg --clearsign --digest-algo sha256 > SHA256SUMS.asc
+  (cd dist && sha256sum *) | sort | gpg --clearsign --digest-algo sha256 > SHA256SUMS.asc
 fi