GPG-sign releases/tags or commits

[seberm]

Hello,
I am working on integrating rust-teos into a nix-bitcoin project:

• Add support for core lightning watchtower TEoS (The Eye of Satoshi) - server and client fort-nix/nix-bitcoin#543

The nix-bitcoin uses a signature checking for all package releases. I have not found any signatures for rust-teos. Could you please add signatures? This would remove Github as a trusted party for distributing rust-teos.

For more info, please see:

• Request: GPG-sign releases or commits nbd-wtf/trustedcoin#12

Thanks!

[mariocynicys]

So do we need to release binaries and sign them, right?

[seberm]

You can also release binaries and sign them, but more important to nix-bitcoin/nix projects is to sign the source code itself. These projects do not use ready-made binaries, everything is compiled from source.

You have basically two options:

1. Generate the checksums of released tar archives and sign this checksum file. You can take the clightning project as an example:

• https://github.com/ElementsProject/lightning/releases
• https://github.com/ElementsProject/lightning/releases/download/v0.12.0/SHA256SUMS.asc

2. Or, and I think this is the best approach, you can sign all the (future) commits and tags in this repository.

• See @erikarvstedt 's comment here: Request: GPG-sign releases or commits nbd-wtf/trustedcoin#12 (comment)

[sr-gi]

@seberm thanks for taking the time to add rust-teos into nix-bitcoin. I'll make sure to add the signatures for v0.1.2 onwards if that makes sense.

[sr-gi]

@seberm I took a look at this and we are already signing all commits. I guess the only missing part may be to publish the GPG pubkey to the keyservers.

PS: I just added them. Let me know if there is anything else missing.

[seberm]

Hello @sr-gi ,
right now I can see that only commits from @meryacine are signed (e.g. f0f9879) . Is there a commit of yours which is already signed by your key?

It would be also great if you could also sign a tag as soon as you create one using:

git tag -s v0.1.2 -m '<your tag message>'

More info: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

Thanks!

[sr-gi]

Oh, my bad, looks like it was GH signing this on my behalf with the GPG key I had uploaded here. I enabled client-side signing for my last commit: 3912523

[seberm]

Great! Everything seems fine, I think we are good to go with v0.1.2 :). Just please do not forget to also sign a tag.

[sr-gi]

Great. I'll wait to close this until the tag is created (that should be after the last issue in https://github.com/talaia-labs/rust-teos/milestone/1 gets fixed).

[sr-gi]

@seberm v0.1.2 got its first RC, in case you want to test that the sigs are correct.

https://github.com/talaia-labs/rust-teos/releases/tag/v0.1.2-rc1

[seberm]

Hello @sr-gi ,
everything seems fine :)

• https://github.com/fort-nix/nix-bitcoin/blob/89c50a70c73cd275a79088cd876c5f948b44fbfb/pkgs/teos/get-sha256.sh

./get-sha256.sh
warning: Git tree '/home/user/Repos/nix-bitcoin' is dirty
Fetching latest release
Latest release is v0.1.2-rc1
Fetching Sergi Delgado Segura's key
Verifying latest release
gpg: Signature made Tue Sep 20 15:20:37 2022 CEST
gpg:                using EDDSA key C1EC813BB179E3EAEDDB216E35DDB7126CCB7618
gpg: Good signature from "Sergi Delgado Segura <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C1EC 813B B179 E3EA EDDB  216E 35DD B712 6CCB 7618
tag: v0.1.2-rc1
sha256: 0ilrpi6a5w5f3wawilkgqdkf3b7sjq9s40205gj7p3s04ps00n0

[sr-gi]

I just released v0.1.2.

https://github.com/talaia-labs/rust-teos/releases/tag/v0.1.2