New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create aggregated PGP signature files #7579
Comments
Thanks for the suggestion, I had not realised we could put all sigs into a single file. Indeed this seems to have better UX for GUI users. |
I started to work on that. Here is how I propose to change the current workflow Current workflow
proposalNote that the current deploy.sh logic will not download files from the airlock unless there is a new version number. I propose to keep the current logic. Indeed, the purpose of the airlock is to examine potentially toxic data (binary files, html files), before deployment. However, signature files are not toxic. So, I think we do not need to push binary signature files into the airlock. The deploy.sh script can fetch them from Github. This has several advantages:
New workflow
|
Sounds good. Two remarks:
|
Thanks for reviewing. I did not think about reproducibility issues. I'll try to find a better solution. |
OK, I came up with a different solution, closer to what we currently do, and robust against reproducibility issues. See spesmilo/electrum-web@969fa0a and bdbd593 A new script The early return in deploy.sh is now based on the commit number, not the version number. If the commit is signed by both ThomasV and SomberNight, the airlock content is downloaded again. |
this is deployed now |
I have noticed several users claiming they are unable to verify GPG signatures in recent months. Most have been solved by changing the file name of the signature file to match that of the binary file in question. This began recently when the development team started issuing signature files by multiple developers, and adding the developer's name to the signature file name.
Just to reiterate the issue; the signature files' names differ from the binary file's name, which prevents GIU GPG applications (with default settings) from reading the binary file when one double-clicks on a signature file. GUI applications expect the signature file's name to be the same as the binary file's name, with the only difference being the addition of .asc extension.
For example;
Binary file name: electrum-4.1.5.dmg
Signature file name: electrum-4.1.5.dmg.asc
Currently if you download the binary and the signature files you'll have the following file names:
The binary file name: electrum-4.1.5.dmg
ThomasV's signature file name: electrum-4.1.5.dmg.ThomasV.asc
SomberNight's signature file name: electrum-4.1.5.dmg.sombernight_releasekey.asc
Emzy's signature file name: electrum-4.1.5.dmg.Emzy.asc
This issue can be resolved by adding all the developers' signatures into one file, please see the attached example. This is common with other packages that issue multiple developers' signatures for binary releases.
electrum-4.1.5.dmg.asc.txt
The text was updated successfully, but these errors were encountered: