Package manager publishing?

[BatmanAoD]

I would love it if there were a package in Chocolatey (or any other Windows package manager) for X-Mouse Controls.

If you have no objection, I'd be willing to figure out how to create and publish one. If I do so, would you want to be listed as a maintainer? I assume the only maintenance would be an update to the package to reflect new versions of the software itself, which I can do myself if you have a way for me to subscribe to release updates. (It looks like updates are currently only listed on your website, so I can't subscribe to GitHub notifications or similar.)

P.S. Thanks for writing X-Mouse Controls; I've found it very useful! One could even say I've grown addicted; I don't install it on Windows accounts I share with my family, and am occasionally caught off-guard by not having it.

[joelpurra]

@BatmanAoD: sure, package manager support would be nice. Used Chocolatey a few years ago, and it's pretty convenient.

Scrolled through Chocolately's website. Seems they support multiple maintainers, as well as a separate author. I am not interested in actively maintaining recipe(s); how about you and/or the community become package maintainers, and I get listed as author? Seems like a common setup, and I could take over if needed in the future.

• https://community.chocolatey.org/packages/putty.install
• https://docs.chocolatey.org/en-us/community-repository/maintainers/package-maintainer-handover
• https://docs.chocolatey.org/en-us/community-repository/users/package-triage-process#i-want-to-take-overhelp-with-package-maintenance-for-my-software

Regarding releases: watching the repository here on github should work, right? There have been a grand total of 4 published X-Mouse Controls versions during the past 14 years (birthday a few days ago! 🎂🎉) so the chance of you missing something is quite low ;)

[BatmanAoD]

@joelpurra That sounds fine! I didn't notice at first that your releases are tagged in Git despite not showing up in the "releases" view here on GitHub, but now that I see the tags, yes, monitoring GitHub should be entirely sufficient.

[joelpurra]

@BatmanAoD: FYI, I've just created Github releases from all published versions.

Am currently treating these releases merely as a backup for the project website downloads. The entire https://joelpurra.com/ domain recently went down for over a month (hardware failure), so felt it was needed.

No new version of X-Mouse Controls is planned, but updating the website a little bit while I'm at it.

[BatmanAoD]

I have to admit that I completely forgot that the ball was in my court for this 🤦🏻

I'm setting up the package now. In case you'd like a preview, here is what I've got so far.

[joelpurra]

@BatmanAoD: oh, cool! There's no rush or anything; as mentioned, the Github releases were only triggered by the recent website downtime...

[BatmanAoD]

As I'm sure was the case for you when you wrote the software, the only rush is that I want to use the choco package myself!

[joelpurra]

@BatmanAoD: ran a quick test with the latest package (not the --pre testing package):

choco install xmouse-controls --version 1.1.0.0

The executable found in c:\ProgramData\chocolatey\bin\ works as expected, so no problems there. There was no start menu shortcut installed though (unsure why), so had to navigate to the bin folder "manually". Is that because of some local (choco?) settings on my machine perhaps?

[BatmanAoD]

@joelpurra I kept the installer minimal; it just puts the exe on the PATH. It doesn't even change the name, so in PowerShell, typing X-M<tab>, I get & 'X-Mouse Controls.exe'. This is exactly what I wanted, but I can also add a start-menu shortcut and/or change the executable name in the install script.

[joelpurra]

@BatmanAoD: as X-Mouse Controls is a GUI tool, I would say that the (or at least my) expectation is that a start menu shortcut is created. (Was now reminded of #22, for any scripting needs.) Yes, please, keep the original executable name.

Seems the choco approval process is quite detailed. Hope it gets fully verified soon =)

[BatmanAoD]

@joelpurra Okay, I've added a start-menu shortcut to the installer!

[BatmanAoD]

@joelpurra Chocolatey requests that packages include instructions for manual signature verification, but I'm actually having trouble with the x-mouse_controls_2018-10-06T1730Z_release.zip.asc file. The contents "look" right to me (though I know practically nothing about PGP signatures), but I can't get gpg to acknowledge them. Any suggestions?

Here's what I get (both on Windows using gpg4win and on WSL):

$> gpg --show-keys --with-fingerprint ~/tmp/x-mouse_controls_2018-10-06T1730Z_release.zip.asc
gpg: no valid OpenPGP data found.

[joelpurra]

@BatmanAoD: your gpg command mixes concepts, which is understandable; much of the criticism against openpgp/gnupg/gpg revolve around usability and terminology.

The .zip.asc signature file (BEGIN PGP SIGNATURE) does not contain the gpg public keys (BEGIN PGP PUBLIC KEY BLOCK). You're seeing a "no valid data" error because --show-keys is for inspecting a user's public keys. Pubkeys need to be downloaded separately to your local gpg keyring (and verified!) first; this is to keep track of your "trust" in these public keys (or rather in the cryptographic identities of the respective private key holders).

You can find the pubkey with fingerprint 4C47B4FF173AE6ED0DB733946DF6890D2A977668 on my contact page. Note that that is the (long-term/stable) primary key fingerprint; I rotate signing/encryption/authentication subkeys yearly, so you'll see a warning about the signature from 2018 coming from a superseded signing key.

Optional empty/test gpg keyring setup

Create a throwaway gpg home directory and set the GNUPGHOME path temporarily in the current terminal. Delete and recreate ./gnupg-home at will.

mkdir --mode 0700 ./gnupg-home
export GNUPGHOME="${PWD}/gnupg-home"
gpg --list-keys

First, have gpg import my public key.

gpg --recv-key 4C47B4FF173AE6ED0DB733946DF6890D2A977668
gpg --list-key --with-subkey-fingerprint 4C47B4FF173AE6ED0DB733946DF6890D2A977668

Second, verify the .zip file signature. (The .zip filename can be guessed from the .zip.asc filename, so the last argument is optional but more explicit for scripting.)

gpg --verify x-mouse_controls_2018-10-06T1730Z_release.zip.asc x-mouse_controls_2018-10-06T1730Z_release.zip

Didn't try this using gpg4win, only on linux (gpg v2.2.35). Do these steps work for you and/or Chocolatey?

[BatmanAoD]

@joelpurra Thanks for the explanation! Sorry, I was essentially blindly copying gpg commands from StackOverflow, and the "no valid OpenPGP data" message didn't give me any hint that I should be looking for a different key on your page. Though I probably should have figured that out just based on the fact that PGP uses key-pairs!

This doesn't need to be scriptable, I just want to make sure I can do the verification myself so that I can write up the instructions to include in the Chocolatey package.

It looks like key importing worked, but for some reason gpg isn't associating the asc file with the newly imported public key:

PS C:\Users\batma> gpg --list-key --with-subkey-fingerprint 4C47B4FF173AE6ED0DB733946DF6890D2A977668
pub   rsa8192 2013-12-26 [SC]
      4C47B4FF173AE6ED0DB733946DF6890D2A977668
uid           [ unknown] Joel Purra <mig@joelpurra.se>
uid           [ unknown] Joel Purra <me@joelpurra.com>
uid           [ unknown] [jpeg image of size 4521]
sub   rsa4096 2023-03-14 [A] [expires: 2024-04-07]
      A3D6BC73549C1B2B84CBBA1BD4D7146E17366870
sub   rsa4096 2023-03-14 [E] [expires: 2024-04-07]
      1F9664AD9E23CA4A24ED0666C64E0DE7F2A0641C
sub   rsa4096 2023-03-14 [S] [expires: 2024-04-07]
      03B5B1B312D624DF6C001264B9F144AA4BA349FA

PS C:\Users\batma> gpg --verify .\Downloads\x-mouse_controls_2018-10-06T1730Z_release.zip.asc .\chocoxmouse\xmouse-controls\tools\x-mouse_controls_2018-10-06T1730Z_release.zip
gpg: Signature made 10/6/2018 11:43:48 AM Mountain Daylight Time
gpg:                using RSA key F1180AC410DF506C1BA92C041D9F8BDB0CEFA940
gpg: Can't check signature: No public key

Do I have to explicitly tell it which imported public key to be checking against?

[BatmanAoD]

...oh, do I need to mark the imported key "trusted" somehow?

Edit: that doesn't seem to work; after running gpg --edit-key --with-subkey-fingerprint 4C47B4FF173AE6ED0DB733946DF6890D2A977668, selecting trust, and assigning 4, the --verify command still failed, with the same error.