Changeset View
Changeset View
Standalone View
Standalone View
doc/gitian-signing.md
# Gitian signing | # Gitian signing | ||||
Once you've followed the instructions in gitian-building.md and verified that | Once you've followed the instructions in gitian-building.md and verified that | ||||
you have the same hashes as other developers, it's time to sign the gitian | you have the same hashes as other developers, it's time to sign the Gitian | ||||
builds. | builds. | ||||
## PGP fingerprints of gitian build signers | ## PGP fingerprints of gitian build signers | ||||
The `contrib/gitian-signing/keys.txt` file contains the PGP fingerprints of | The `contrib/gitian-signing/keys.txt` file contains the PGP fingerprints of | ||||
gitian build signers. If you plan on signing gitian builds on a regular basis, | Gitian build signers. If you plan on signing Gitian builds on a regular basis, | ||||
please add you fingerprint here. | please add you fingerprint here. | ||||
TODO: Add reference to gitian keys process instructions once that document is | TODO: Add reference to gitian keys process instructions once that document is | ||||
written. It should be clear to signers that there are expectations associated | written. It should be clear to signers that there are expectations associated | ||||
with the siginging process and that it's unacceptable to blindly sign builds. | with the siginging process and that it's unacceptable to blindly sign builds. | ||||
## Sign your gitian builds | ## Sign your Gitian builds | ||||
### Sign your gitian builds individually | ### Sign your Gitian builds individually | ||||
TODO: Add scripts and instructions for checking for revoked keys and signing builds. | TODO: Add scripts and instructions for checking for revoked keys and signing builds. | ||||
For now, refer to `contrib/check-keys.sh` for retrieving all signing keys. | For now, refer to `contrib/check-keys.sh` for retrieving all signing keys. | ||||
### Sign your gitian builds under a single SHA256SUMS file (optional) | ### Sign your Gitian builds under a single SHA256SUMS file (optional) | ||||
These steps are optional, but makes sharing the build signatures easier. | These steps are optional, but makes sharing the build signatures easier. | ||||
1. After building all binaries using gitian, collect the hashes for the builds | 1. After building all binaries using gitian, collect the hashes for the builds | ||||
you care to sign. Exclude any debug binaries, unsigned builds, or metadata | you care to sign. Exclude any debug binaries, unsigned builds, or metadata | ||||
files that are built as part of the gitian process, but be sure to include | files that are built as part of the Gitian process, but be sure to include | ||||
the source used to generate the binaries. These hashes will look something | the source used to generate the binaries. These hashes will look something | ||||
like this: | like this: | ||||
8bc4becb83b532d3be841438e6145372a8bce8f37e087dbffb2aedaee985c0e4 bitcoin-abc-0.18.0-aarch64-linux-gnu.tar.gz | 8bc4becb83b532d3be841438e6145372a8bce8f37e087dbffb2aedaee985c0e4 bitcoin-abc-0.18.0-aarch64-linux-gnu.tar.gz | ||||
deb3d15d6ccbce4725f0e0dc892931bfdcbcfa7ccbd35846ccbde90572248bed bitcoin-abc-0.18.0-arm-linux-gnueabihf.tar.gz | deb3d15d6ccbce4725f0e0dc892931bfdcbcfa7ccbd35846ccbde90572248bed bitcoin-abc-0.18.0-arm-linux-gnueabihf.tar.gz | ||||
79a2bff6109307fd64a569270eeb1259cb6bba53ff609af4e5340d13e25e80b8 bitcoin-abc-0.18.0-i686-pc-linux-gnu.tar.gz | 79a2bff6109307fd64a569270eeb1259cb6bba53ff609af4e5340d13e25e80b8 bitcoin-abc-0.18.0-i686-pc-linux-gnu.tar.gz | ||||
f40ba895f21270d3a038361f9b2baed68df2688eaa01ad531b4ee29ee205cb98 bitcoin-abc-0.18.0-x86_64-linux-gnu.tar.gz | f40ba895f21270d3a038361f9b2baed68df2688eaa01ad531b4ee29ee205cb98 bitcoin-abc-0.18.0-x86_64-linux-gnu.tar.gz | ||||
11dc3ba7f193c70879b3fc3cc716fde56880dfebfab8bb556b7a355b2e64f09d src/bitcoin-abc-0.18.0.tar.gz | 11dc3ba7f193c70879b3fc3cc716fde56880dfebfab8bb556b7a355b2e64f09d src/bitcoin-abc-0.18.0.tar.gz | ||||
b83a25ad9050e7566fc6b4f5e33a78d71a39fd7d2f15e7143a37ffd37d501a17 bitcoin-abc-0.18.0-osx64.tar.gz | b83a25ad9050e7566fc6b4f5e33a78d71a39fd7d2f15e7143a37ffd37d501a17 bitcoin-abc-0.18.0-osx64.tar.gz | ||||
2. Save those hashes into `SHA256SUMS.0.x.0` where x is the version number. | 2. Save those hashes into `SHA256SUMS.0.x.0` where x is the version number. | ||||
3. `gpg --armor --clearsign --output SHA256SUMS.0.x.0.asc --sign SHA256SUMS` | 3. `gpg --armor --clearsign --output SHA256SUMS.0.x.0.asc --sign SHA256SUMS` |