From 2f09a04d4404b12dea72b71fe89792a86fc3d982 Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 9 Aug 2021 16:19:30 +0800 Subject: [PATCH] Merge bitcoin/bitcoin#22642: release: Release with separate SHA256SUMS and sig files 90b3e482e911fde73133a157c3b354471682275a release: Release with separate SHA256SUMS and sig files (Carl Dong) Pull request description: This allows us to: - remove the rfc4880 EOL hacks, and - release with a SHA256SUMS.asc file that's a combination of all signer signatures ACKs for top commit: achow101: ACK 90b3e482e911fde73133a157c3b354471682275a laanwj: Concept and code review ACK 90b3e482e911fde73133a157c3b354471682275a Tree-SHA512: 5d5086063d303aa0cbd590e5fdf2ae8f555e25f4e43bf67545e33384449b990e94834c711622530ad0eb3dcc83f52746884a5081dadb0acff8dd799cfadafac7 --- contrib/guix/guix-attest | 16 ---------------- doc/release-process.md | 23 ++++++----------------- 2 files changed, 6 insertions(+), 33 deletions(-) diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest index f0c5cf77ce..ae0ec53f87 100755 --- a/contrib/guix/guix-attest +++ b/contrib/guix/guix-attest @@ -159,20 +159,6 @@ Hint: You may wish to remove the existing attestations and their signatures by EOF } -# Given a document with unix line endings (just ) in stdin, make all lines -# end in and make sure there's no trailing at the end of the file. -# -# This is necessary as cleartext signatures are calculated on text after their -# line endings are canonicalized. -# -# For more information: -# 1. https://security.stackexchange.com/a/104261 -# 2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1 -# -rfc4880_normalize_document() { - sed 's/$/\r/' | head -c -2 -} - echo "Attesting to build outputs for version: '${VERSION}'" echo "" @@ -188,7 +174,6 @@ mkdir -p "$outsigdir" cat "${noncodesigned_fragments[@]}" \ | sort -u \ | sort -k2 \ - | rfc4880_normalize_document \ > "$temp_noncodesigned" if [ -e noncodesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we @@ -217,7 +202,6 @@ mkdir -p "$outsigdir" | sort -u \ | sort -k2 \ | sed 's/$/\r/' \ - | rfc4880_normalize_document \ > "$temp_codesigned" if [ -e codesigned.SHA256SUMS ]; then # The SHA256SUMS already exists, make sure it's exactly what we diff --git a/doc/release-process.md b/doc/release-process.md index 41c3ec7722..d02fdbd71f 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -156,24 +156,10 @@ popd ### After 3 or more people have guix-built and their results match: -Combine `all.SHA256SUMS` and `all.SHA256SUMS.asc` into a clear-signed -`SHA256SUMS.asc` message: - -```sh -echo -e "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n$(cat all.SHA256SUMS)\n$(cat filename.txt.asc)" > SHA256SUMS.asc -``` - -Here's an equivalent, more readable command if you're confident that you won't -mess up whitespaces when copy-pasting: +Combine the `all.SHA256SUMS.asc` file from all signers into `SHA256SUMS.asc`: ```bash -cat << EOF > SHA256SUMS.asc ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA256 - -$(cat all.SHA256SUMS) -$(cat all.SHA256SUMS.asc) -EOF +cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc ``` - Upload to the dash.org server: @@ -185,7 +171,10 @@ EOF interested in debugging can run guix to generate the files for themselves. To avoid end-user confusion about which file to pick, as well as save storage space *do not upload these to the dash.org server*. - 2. The combined clear-signed message you just created `SHA256SUMS.asc` + + 2. The `SHA256SUMS` file + + 3. The `SHA256SUMS.asc` combined signature file you just created - Announce the release: