https://github.com/bitcoin/bitcoin/blob/0.16/contrib/gitian-build.sh
bitcoin/bitcoin#8566 (2016-08-23..2016-08-30)
Andrew Chow (author), https://github.com/achow101
Pieter Wuille, https://github.com/sipa
bitcoin/bitcoin#8566 (comment):
One feature I've always wanted (but never bothered to add to my own build scripts) is detached signing: I don't want my GPG key on the build machine. However, if you don't use gsign, the assert file is overwritten for every build. So if possible I'd like to have a means to just copy the assert file to the right location in gitian.sigs, but without adding the gpg signature yet.
Wladimir J. van der Laan, https://github.com/laanwj
bitcoin/bitcoin#8566 (comment):
By detached signing I mean it behaves exactly as if it's signing, and the .assert file appears inside the gitian.sigs dir, but no GPG signature for it is created.
My favorite hack for this is:
gsign -p true ...
(This uses the program "true" to sign, which effectively skips the step and returns success)
export SIGNER=hebasto
export VERSION=0.18.0rc3
Prerequisite: MacOSX10.11.sdk.tar.gz
resides in the home directory.
Fork the bitcoin-core/gitian.sigs
repository on GitHub (if not forked yet).
cd ~/gitian
wget -N https://raw.githubusercontent.com/hebasto/bitcoin/gitian-build-private/contrib/gitian-build.py
chmod +x gitian-build.py
./gitian-build.py --setup ${SIGNER} ${VERSION}
pushd gitian-builder
git checkout 20190407-clean-manifest
mkdir inputs
cp ~/MacOSX10.11.sdk.tar.gz inputs
popd
pushd gitian.sigs
git remote add ${SIGNER} git@github.com:${SIGNER}/gitian.sigs.git
git config remote.pushDefault ${SIGNER}
popd
./gitian-build.py --build ${SIGNER} ${VERSION}
pushd gitian.sigs
git checkout -b ${VERSION}-unsigned
find ${VERSION}-{linux,{win,osx}-unsigned}/${SIGNER}/ -name *.assert -exec gpg --detach-sign {} \;
git add ${VERSION}-{linux,{win,osx}-unsigned}/${SIGNER}
git commit -m "${SIGNER} ${VERSION} unsigned"
git push
git checkout master
popd
Submit a PR to the bitcoin-core/gitian.sigs
repository on GitHub.
./gitian-build.py --sign ${SIGNER} ${VERSION}
pushd gitian.sigs
git checkout -b ${VERSION}-signed
find ${VERSION}-{win,osx}-signed/${SIGNER}/ -name *.assert -exec gpg --detach-sign {} \;
git add ${VERSION}-{win,osx}-signed/${SIGNER}
git commit -m "${SIGNER} ${VERSION} signed"
git push
git checkout master
popd
Submit a PR to the bitcoin-core/gitian.sigs
repository on GitHub.
sudo lxc-ls --rcfile=gitian-builder/var/lxc.config --fancy
sudo lxc-info --name=gitian --rcfile=gitian-builder/var/lxc.config
sudo lxc-top --rcfile=gitian-builder/var/lxc.config
# After container stops
sudo lxc-execute --name=gitian --rcfile=gitian-builder/var/lxc.config -- df
# macOS was the latest build (0.18.0rc3)
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/loop0 12319880 2665576 9008776 23% /
none 492 0 492 0% /dev
# Linux was the latest build (0.18.0rc4)
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/loop0 12319880 5485072 6189280 47% /
none 492 0 492 0% /dev
In order to sign gitian builds on your host machine, which has your PGP key, fork the gitian.sigs repository and clone it on your host machine:
git clone git@github.com:bitcoin-core/gitian.sigs.git
git remote add satoshi git@github.com:satoshi/gitian.sigs.git
Make a PR (both the
.assert
and.assert.sig
files) to the bitcoin-core/gitian.sigs repository:
git checkout -b 0.16.0rc1-not-codesigned
git commit -S -a -m "Add $NAME 0.16.0rc non-code signed signatures"
git push --set-upstream $NAME 0.16.0rc1
Commit your signature to gitian.sigs:
pushd gitian.sigs
git add ${VERSION}-linux/"${SIGNER}"
git add ${VERSION}-win-unsigned/"${SIGNER}"
git add ${VERSION}-osx-unsigned/"${SIGNER}"
git commit -m "Add ${VERSION} unsigned sigs for ${SIGNER}"
git push # Assuming you can push to the gitian.sigs tree
popd
Commit your signature for the signed macOS/Windows binaries:
pushd gitian.sigs
git add ${VERSION}-osx-signed/"${SIGNER}"
git add ${VERSION}-win-signed/"${SIGNER}"
git commit -a
git push # Assuming you can push to the gitian.sigs tree
popd
source | branch | commit |
---|---|---|
gitian-building.md | 0.16.0rc1-not-codesigned | Add hebasto 0.17.0rc2 non-code signed signatures |
release-process.md | Add 0.17.0rc2 unsigned sigs for hebasto | |
gitian-build.py | Add 0.17.0rc2 unsigned sigs for hebasto | |
gitian-build.py | Add 0.17.0rc2 signed sigs for hebasto | |
laanwj | laanwj 0.17.0rc2 unsigned | |
laanwj | laanwj 0.17.0rc2 signed |