Merge bitcoin/bitcoin#22642: release: Release with separate SHA256SUMS and sig files

90b3e482e911fde73133a157c3b354471682275a release: Release with separate SHA256SUMS and sig files (Carl Dong)

Pull request description:

  This allows us to:
  - remove the rfc4880 EOL hacks, and
  - release with a SHA256SUMS.asc file that's a combination of all signer signatures

ACKs for top commit:
  achow101:
    ACK 90b3e482e911fde73133a157c3b354471682275a
  laanwj:
    Concept and code review ACK 90b3e482e911fde73133a157c3b354471682275a

Tree-SHA512: 5d5086063d303aa0cbd590e5fdf2ae8f555e25f4e43bf67545e33384449b990e94834c711622530ad0eb3dcc83f52746884a5081dadb0acff8dd799cfadafac7
This commit is contained in:
fanquake 2021-08-09 16:19:30 +08:00 committed by PastaPastaPasta
parent e82c9ad35a
commit 2f09a04d44
2 changed files with 6 additions and 33 deletions

View File

@ -159,20 +159,6 @@ Hint: You may wish to remove the existing attestations and their signatures by
EOF EOF
} }
# Given a document with unix line endings (just <LF>) in stdin, make all lines
# end in <CR><LF> and make sure there's no trailing <LF> at the end of the file.
#
# This is necessary as cleartext signatures are calculated on text after their
# line endings are canonicalized.
#
# For more information:
# 1. https://security.stackexchange.com/a/104261
# 2. https://datatracker.ietf.org/doc/html/rfc4880#section-7.1
#
rfc4880_normalize_document() {
sed 's/$/\r/' | head -c -2
}
echo "Attesting to build outputs for version: '${VERSION}'" echo "Attesting to build outputs for version: '${VERSION}'"
echo "" echo ""
@ -188,7 +174,6 @@ mkdir -p "$outsigdir"
cat "${noncodesigned_fragments[@]}" \ cat "${noncodesigned_fragments[@]}" \
| sort -u \ | sort -u \
| sort -k2 \ | sort -k2 \
| rfc4880_normalize_document \
> "$temp_noncodesigned" > "$temp_noncodesigned"
if [ -e noncodesigned.SHA256SUMS ]; then if [ -e noncodesigned.SHA256SUMS ]; then
# The SHA256SUMS already exists, make sure it's exactly what we # The SHA256SUMS already exists, make sure it's exactly what we
@ -217,7 +202,6 @@ mkdir -p "$outsigdir"
| sort -u \ | sort -u \
| sort -k2 \ | sort -k2 \
| sed 's/$/\r/' \ | sed 's/$/\r/' \
| rfc4880_normalize_document \
> "$temp_codesigned" > "$temp_codesigned"
if [ -e codesigned.SHA256SUMS ]; then if [ -e codesigned.SHA256SUMS ]; then
# The SHA256SUMS already exists, make sure it's exactly what we # The SHA256SUMS already exists, make sure it's exactly what we

View File

@ -156,24 +156,10 @@ popd
### After 3 or more people have guix-built and their results match: ### After 3 or more people have guix-built and their results match:
Combine `all.SHA256SUMS` and `all.SHA256SUMS.asc` into a clear-signed Combine the `all.SHA256SUMS.asc` file from all signers into `SHA256SUMS.asc`:
`SHA256SUMS.asc` message:
```sh
echo -e "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n$(cat all.SHA256SUMS)\n$(cat filename.txt.asc)" > SHA256SUMS.asc
```
Here's an equivalent, more readable command if you're confident that you won't
mess up whitespaces when copy-pasting:
```bash ```bash
cat << EOF > SHA256SUMS.asc cat "$VERSION"/*/all.SHA256SUMS.asc > SHA256SUMS.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
$(cat all.SHA256SUMS)
$(cat all.SHA256SUMS.asc)
EOF
``` ```
- Upload to the dash.org server: - Upload to the dash.org server:
@ -185,7 +171,10 @@ EOF
interested in debugging can run guix to generate the files for interested in debugging can run guix to generate the files for
themselves. To avoid end-user confusion about which file to pick, as well themselves. To avoid end-user confusion about which file to pick, as well
as save storage space *do not upload these to the dash.org server*. as save storage space *do not upload these to the dash.org server*.
2. The combined clear-signed message you just created `SHA256SUMS.asc`
2. The `SHA256SUMS` file
3. The `SHA256SUMS.asc` combined signature file you just created
- Announce the release: - Announce the release: