You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To compare build results of maintainers, and contributors, gsign, which is part of Gitian, is used to create a "fingerprint" of the binaries, as well as the dependencies used during the build process.
The "fingerprints" are cryptographically signed via GPG and published to a dedicated GitHub repository:
This process ensures that binaries, and the tool chain, were not tampered with and that the same source was used. It allows any user to verify releases by building binaries locally, and comparing the results.
The signing identity will be used to map build results to users. It is not strictly related to the GitHub username, or the GPG identity, but ideally the GitHub username is used as signing identify. To define:
~/gitian-builder$ export SIGNER=OmniDev
3.2 Define release base string
The release string is used to create a subdir in ../gitian.sigs. If you're building a tagged release, then ${VERSION} may already be defined. If you're building a release based on a commit, then there may be ${COMMIT}.
For tagged releases use the tag as release base string. If ${VERSION} is defined:
~/gitian-builder$ export RELEASE=${VERSION}
If ${VERSION} is not defined, and assuming the release tag is 0.0.10.0-rc1, then:
~/gitian-builder$ export RELEASE=0.0.10.0-rc1
For untagged releases, which are build based on a specific commit, use the base version, followed by the first 10 characters of the commit. Assuming the base version is 0.0.10.0, and first 10 characters are f95531ffec, then:
It is not required to stay in the Gitian environment, and build results may as well be transferred to the host machine, before continuing with the following steps.
If the Gitian environment is used, and if not done earlier, then set your GitHub username and email address, and optionally a GPG signing key:
If the steps are done on the host machine (or somewhere else), redefine, or replace ${RELEASE} with the actual release tag (e.g. 0.0.10.0-rc1), and likewise the signing identity ${SIGNER} with the actual name of the signer (e.g. OmniDev).
Navigate to the gitian.sigs repository, create a new branch, and add the results via git: