Can't verify tarball #90
Comments
|
Hi Bob, It's weird, This is what I get when I verify myself. Maybe I messed up somewhere. I'll double check. |
|
I have just downloaded the two files from Github release and I still see this issue 😞 |
|
🤔 Very odd, I'll do more digging. |
|
For your information, you don't have to actually download tarballs from Github in your script, git is able to make reproducible archives out of tags: So in your script you can simply generate the archive using the command above and sign it. |
|
@maximbaz would you know the equivalent for the Both files differ even though content looks OK. I'm going to add a check in my release script so that this mess doesn't happen again but I'd like to support both |
We need to verify the sources from github match our local content. We do this by building our own version of the git release (using `git archive`) and checking the SHA-256 checksums against the local and remote. After that it's safe to sign the remote `tar.gz` and upload the signature file to the release. One caveat is that if Github upates their git release commmand, this script will break. We'll worry about it when that happens. This drops support for `zip` signature. I wish there was a way to prevent the zip source code when doing a new release. Clsoes #90
|
@maximbaz @bhepple I figured what was wrong and update my release script. Now I properly verify the remote (Github) content against my local version (thanks to @maximbaz help). I've dropped support for the zip file signature, there is a slight difference in the compression bits between my local command and the remote version. Hopefully only the tar.gz is used. I've resubmitted the signature for both Let me know if you still have issue. |
|
Yep - looks a lot better now, thanks. Only thing is it's a bit leery about your public key. Is it registered anywhere under your email/id? |
|
My knowledge of gpg key registration is pretty limited. What do I need to do to validate my key under the email address provided? |
|
Ah! There's the rub. It passeth also my understanding. |
|
I confirm the fix as well, thanks @jtheoof! Regarding the I wouldn't do this to be honest, just keep Regarding the key, you don't need to validate it against your email, but it would be nice if you could simply put in README something like:
This will be more than enough for packagers and for people familiar with the concept. Alternatively if you want to provide some more context for users, here's how I documented this in one of my projects: https://github.com/browserpass/browserpass-native/#install-manually |
|
Thanks @maximbaz I'll update the README with your recommendation. |
We need to verify the sources from github match our local content. We do this by building our own version of the git release (using `git archive`) and checking the SHA-256 checksums against the local and remote. After that it's safe to sign the remote `tar.gz` and upload the signature file to the release. One caveat is that if Github upates their git release commmand, this script will break. We'll worry about it when that happens. This drops support for `zip` signature. I wish there was a way to prevent the zip source code when doing a new release. Closes jtheoof#90
Hi Jeremy,
Your friendly local Fedora packager here.
I'm having problems with verifying the 1.3.0 tarball:
$ gpg2 --keyring=$PWD/6A6B35DBE9442683.gpg --verify swappy-1.3.0.tar.gz.sig swappy-1.3.0.tar.gz
gpg: Signature made Thu 18 Feb 2021 11:57:39 AEST
gpg: using RSA key F44D05A50F6C9EB5C81BCF966A6B35DBE9442683
gpg: BAD signature from "Jeremy Attali [email protected]" [unknown]
I notice that the 1.3.0 release does not have a 'Verified' button next to it (1.2.0 does have that button and it points to public key 6A6B35DBE9442683
Am I using the right public key?
Thanks
The text was updated successfully, but these errors were encountered: