-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: simple release signing system #4339
Conversation
a2bf5b4
to
fe400ba
Compare
Use `just sign-release v0.2.2` to sign the release. <prefix>-SHA256SUM and <prefix>-SHA256SUMS.asc are meant to be checked in.
fe400ba
to
47afd09
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
馃帀
@@ -0,0 +1,6 @@ | |||
716840cfe02a270aff5bf1a02eda9c87946af231ad4ca5796a981ed0d9b1723f v0.2.2-x86_64-linux/fedimint-cli |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm getting the same hashes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -0,0 +1 @@ | |||
!/bins |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somehow this doesn't work for me? I'm getting
$ git status
HEAD detached at pr/4339/head
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: v0.2.2-x86_64-linux.SHA256SUMS.asc
Untracked files:
(use "git add <file>..." to include in what will be committed)
bins/
no changes added to commit (use "git add" and/or "git commit -a")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My git status
has the bins under releases/bins
, which is still showing up untracked in git
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
>&2 echo "Building..." | ||
for out in fedimint-pkgs gateway-pkgs ; do | ||
nix build "git+file:.?ref=refs/tags/${tag}#${out}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wondering why we aren't using this build command in the context of #4305, but would these binaries run on non-nix systems? I doubt it and that's why we use bundlers. We should probably rather sign the bundler-generated binaries that we actually publish.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unclear if these binaries are reproducible but let's try. :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use
just sign-release v0.2.2
to sign the release.<prefix>-SHA256SUM
and<prefix>-SHA256SUMS.asc
are meant to be checked in.Now we get to (hopefully 馃) rip the benefits of Nix. We don't need the CI to sign anything, and anyone can verify and sign the release independently from the comfort of their personal terminal.
For reviewers:
We can iterate from here
Immediate follow-ups: