Skip to content

Instantly share code, notes, and snippets.

@hebasto

hebasto/gitian-sigs.md Secret

Last active October 4, 2019 15:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hebasto/e0b4f5bb948174353e10989b24b6a82c to your computer and use it in GitHub Desktop.
Save hebasto/e0b4f5bb948174353e10989b24b6a82c to your computer and use it in GitHub Desktop.
Download ZIP
The `bitcoin-core/gitian.sigs` Repository Workflow
Raw
gitian-sigs.md

The bitcoin-core/gitian.sigs Repository Workflow

gitian-build.sh (*.py)

https://github.com/bitcoin/bitcoin/blob/0.16/contrib/gitian-build.sh

bitcoin/bitcoin#8566 (2016-08-23..2016-08-30)

Andrew Chow (author), https://github.com/achow101

Pieter Wuille, https://github.com/sipa

bitcoin/bitcoin#8566 (comment):

One feature I've always wanted (but never bothered to add to my own build scripts) is detached signing: I don't want my GPG key on the build machine. However, if you don't use gsign, the assert file is overwritten for every build. So if possible I'd like to have a means to just copy the assert file to the right location in gitian.sigs, but without adding the gpg signature yet.

Wladimir J. van der Laan, https://github.com/laanwj

bitcoin/bitcoin#8566 (comment):

By detached signing I mean it behaves exactly as if it's signing, and the .assert file appears inside the gitian.sigs dir, but no GPG signature for it is created.

My favorite hack for this is:

gsign -p true ...

(This uses the program "true" to sign, which effectively skips the step and returns success)

bitcoin/bitcoin#13623

bitcoin/bitcoin#13692

The Recommended Workflow

Common environment variables

export SIGNER=hebasto
export VERSION=0.18.0rc3

The --setup Command

Prerequisite: MacOSX10.11.sdk.tar.gz resides in the home directory.

Fork the bitcoin-core/gitian.sigs repository on GitHub (if not forked yet).

cd ~/gitian
wget -N https://raw.githubusercontent.com/hebasto/bitcoin/gitian-build-private/contrib/gitian-build.py
chmod +x gitian-build.py
./gitian-build.py --setup ${SIGNER} ${VERSION}

pushd gitian-builder
git checkout 20190407-clean-manifest
mkdir inputs
cp ~/MacOSX10.11.sdk.tar.gz inputs
popd

pushd gitian.sigs
git remote add ${SIGNER} git@github.com:${SIGNER}/gitian.sigs.git
git config remote.pushDefault ${SIGNER}
popd

The --build Command

./gitian-build.py --build ${SIGNER} ${VERSION}

pushd gitian.sigs
git checkout -b ${VERSION}-unsigned
find ${VERSION}-{linux,{win,osx}-unsigned}/${SIGNER}/ -name *.assert -exec gpg --detach-sign {} \;
git add ${VERSION}-{linux,{win,osx}-unsigned}/${SIGNER}
git commit -m "${SIGNER} ${VERSION} unsigned"
git push
git checkout master
popd

Submit a PR to the bitcoin-core/gitian.sigs repository on GitHub.

The --sign Command

./gitian-build.py --sign ${SIGNER} ${VERSION}

pushd gitian.sigs
git checkout -b ${VERSION}-signed
find ${VERSION}-{win,osx}-signed/${SIGNER}/ -name *.assert -exec gpg --detach-sign {} \;
git add ${VERSION}-{win,osx}-signed/${SIGNER}
git commit -m "${SIGNER} ${VERSION} signed"
git push
git checkout master
popd

Submit a PR to the bitcoin-core/gitian.sigs repository on GitHub.

The LXC container monitoring

sudo lxc-ls --rcfile=gitian-builder/var/lxc.config --fancy
sudo lxc-info --name=gitian --rcfile=gitian-builder/var/lxc.config
sudo lxc-top --rcfile=gitian-builder/var/lxc.config

# After container stops
sudo lxc-execute --name=gitian --rcfile=gitian-builder/var/lxc.config -- df
# macOS was the latest build (0.18.0rc3)
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/loop0      12319880 2665576   9008776  23% /
none                 492       0       492   0% /dev
# Linux was the latest build (0.18.0rc4)
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/loop0      12319880 5485072   6189280  47% /
none                 492       0       492   0% /dev

The Documented Workflow

https://github.com/bitcoin-core/docs/blob/master/gitian-building.md

In order to sign gitian builds on your host machine, which has your PGP key, fork the gitian.sigs repository and clone it on your host machine:

git clone git@github.com:bitcoin-core/gitian.sigs.git
git remote add satoshi git@github.com:satoshi/gitian.sigs.git

Make a PR (both the .assert and .assert.sig files) to the bitcoin-core/gitian.sigs repository:

git checkout -b 0.16.0rc1-not-codesigned
git commit -S -a -m "Add $NAME 0.16.0rc non-code signed signatures"
git push --set-upstream $NAME 0.16.0rc1

https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md

Commit your signature to gitian.sigs:

pushd gitian.sigs
git add ${VERSION}-linux/"${SIGNER}"
git add ${VERSION}-win-unsigned/"${SIGNER}"
git add ${VERSION}-osx-unsigned/"${SIGNER}"
git commit -m "Add ${VERSION} unsigned sigs for ${SIGNER}"
git push  # Assuming you can push to the gitian.sigs tree
popd

Commit your signature for the signed macOS/Windows binaries:

pushd gitian.sigs
git add ${VERSION}-osx-signed/"${SIGNER}"
git add ${VERSION}-win-signed/"${SIGNER}"
git commit -a
git push  # Assuming you can push to the gitian.sigs tree
popd
source branch commit
gitian-building.md 0.16.0rc1-not-codesigned Add hebasto 0.17.0rc2 non-code signed signatures
release-process.md Add 0.17.0rc2 unsigned sigs for hebasto
gitian-build.py Add 0.17.0rc2 unsigned sigs for hebasto
gitian-build.py Add 0.17.0rc2 signed sigs for hebasto
laanwj laanwj 0.17.0rc2 unsigned
laanwj laanwj 0.17.0rc2 signed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment