From 4961a656b860319d12a635adfb1f1a9b0821cd87 Mon Sep 17 00:00:00 2001 From: Rootul Patel Date: Fri, 6 Oct 2023 12:51:25 -0400 Subject: [PATCH] remove manual signing steps --- MAINTAINERS.md | 49 ------------------- README.md | 6 +-- scripts/signing/README.md | 19 ------- .../{keys => }/celestia-app-maintainers.asc | 0 scripts/signing/verify-signature.sh | 24 +++------ 5 files changed, 10 insertions(+), 88 deletions(-) delete mode 100644 MAINTAINERS.md delete mode 100644 scripts/signing/README.md rename scripts/signing/{keys => }/celestia-app-maintainers.asc (100%) diff --git a/MAINTAINERS.md b/MAINTAINERS.md deleted file mode 100644 index afe62be5fd..0000000000 --- a/MAINTAINERS.md +++ /dev/null @@ -1,49 +0,0 @@ -# Maintainers - -This page includes information for maintainers of this repo. - -## How to manually generate the binaries for a Github release - -The binaries for the Github release are generated using [GoReleaser](https://goreleaser.com/). The Github workflow [ci-release.yml](./.github/workflows/ci-release.yml) should automatically create pre-built binaries and attach them to the release. - -### Prerequisites - -1. Due to `goreleaser`'s CGO limitations, cross-compiling the binary does not work. So the binaries must be built on the target platform. This means that the release process must be done on a Linux amd64 machine. - -1. Since you are generating and signing the release binaries locally, your public key must be added to the list of available keys for verification. Follow the steps in [scripts/signing/README.md](./scripts/signing/README.md). - -### Steps - -Export environment variables for the GPG key you are using. You can get this value by running `gpg --list-keys`. - -```shell -export GPG_FINGERPRINT=6C1A1C23002059AF36D176ADD81D0045A524FA93 -``` - -To generate the binaries for the Github release, you can run the following command: - -```sh -make goreleaser-release -``` - -This will generate the binaries as defined in `.goreleaser.yaml` and put them in `build/goreleaser` like so: - -```sh -build -└── goreleaser - ├── CHANGELOG.md - ├── artifacts.json - ├── celestia-app_Linux_x86_64.tar.gz - ├── celestia-app_linux_amd64_v1 - │ └── celestia-appd - ├── checksums.txt - ├── checksums.txt.sig - ├── config.yaml - └── metadata.json -``` - -For the Github release, you need to upload the following files: - -- `checksums.txt` -- `checksums.txt.sig` -- `celestia-app_Linux_x86_64.tar.gz` diff --git a/README.md b/README.md index 93cf165078..00806a11c1 100644 --- a/README.md +++ b/README.md @@ -82,11 +82,11 @@ If you use a pre-built binary, you may also want to verify the checksums and sig celestia-app_Linux_x86_64.tar.gz: OK ``` -1. Clone this repo -1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script. +1. Download the [verify-signature.sh](./scripts/signing/verify-signature.sh) script. +1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script ```shell - ./scripts/signing/verify-signature.sh checksums.txt.sig checksums.txt + ./verify-signature.sh checksums.txt.sig checksums.txt ``` You should see output like this: diff --git a/scripts/signing/README.md b/scripts/signing/README.md deleted file mode 100644 index 5e73a585a4..0000000000 --- a/scripts/signing/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# Signing - -This directory contains a script for consumers to verify signatures on artifacts. The `keys` directory contains GPG public keys for some of the celestia-app maintianers. The keys may be used to sign releases and other artifacts. - -## How to add a public key - -### Prerequisite - -1. [Generate a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key) with no passphrase - -### Steps - -1. Export your public key - - ```shell - gpg --armor --export .asc - ``` - -1. Copy the `*.asc` file into `keys/` diff --git a/scripts/signing/keys/celestia-app-maintainers.asc b/scripts/signing/celestia-app-maintainers.asc similarity index 100% rename from scripts/signing/keys/celestia-app-maintainers.asc rename to scripts/signing/celestia-app-maintainers.asc diff --git a/scripts/signing/verify-signature.sh b/scripts/signing/verify-signature.sh index c92c24cfd1..a86c4b6ace 100755 --- a/scripts/signing/verify-signature.sh +++ b/scripts/signing/verify-signature.sh @@ -1,22 +1,6 @@ #!/bin/bash -# DIR is the directory of this script -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -# KEYS_DIR is the directory of the keys -KEYS_DIR="$DIR/keys" - -echo "Importing the public keys in $KEYS_DIR" - -# Loop over all keys in the keys directory -for key in "$KEYS_DIR"/*; do - # Check if it's a regular file (and not a directory or other type) - if [[ -f "$key" ]]; then - # Import the key - echo "Importing $key" - gpg --import "$key" - echo "Imported $key" - fi -done +# This script enables consumers to verify signatures on artifacts. # Check if the number of arguments is not 2 if [[ $# -ne 2 ]]; then @@ -26,5 +10,11 @@ if [[ $# -ne 2 ]]; then exit 1 fi +# PGP Key +# celestia-app-maintainers +# BF02F32CC36864560B90B764D469F859693DC3FA +echo "Importing the celestia-app-maintainers public key..." +gpg --keyserver keys.openpgp.org --recv-keys BF02F32CC36864560B90B764D469F859693DC3FA + echo "Verifying the signature of "$1" with "$2"" gpg --verify $1 $2