Coder Social home page Coder Social logo

guix.sigs's Introduction

This repository contains Guix attestations for releases of Bitcoin Core.

Overall process

The Guix build consists of two stages:

  • In the first stage (noncodesigned), people compile the binaries from source.
  • Then, code signatures for Windows and MacOS are generated from the binaries that were produced in the first stage, and distributed to the builders.
  • In the second stage (all), the builders attach these code signatures.

See https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#building on how to build the release with Guix and create an attestation.

Directory structure

  • /<version>/<signer>/: Build attestations for repository tag v<version> for <signer>.
    • noncodesigned.SHA256SUMS: Hashes of binaries produced by the first stage build for this version.
    • noncodesigned.SHA256SUMS.asc: Detached PGP signature for noncodesigned.SHA256SUMS.
    • all.SHA256SUMS: Hashes of binaries produced by the second stage build. This covers all the binaries uploaded to the website, and is what to check release binaries against.
    • all.SHA256SUMS.asc: Detached PGP signature for all.SHA256SUMS.
  • /builder-keys/<signer>.gpg: PGP keys of the signers. If you're going to do builds and contribute attestations, file a PR to add your key here.
  • /contrib: Scripts used in the CI tests.

guix.sigs's People

Contributors

0xb10c avatar achow101 avatar benthecarman avatar coinforensics avatar darosior avatar dongcarl avatar dunxen avatar emzy avatar fanquake avatar glozow avatar gruve-p avatar guggero avatar hebasto avatar jamesob avatar jonatack avatar josibake avatar kvaciral avatar laanwj avatar luke-jr avatar satsie avatar sipa avatar sipsorcery avatar sjors avatar svanstaa avatar thecharlatan avatar thestack avatar theuni avatar vertiond avatar willcl-ark avatar willyko avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

dongcarl fanquake hebasto sipa thecharlatan sjors achow101 laanwj groestlcoin luke-jr jonatack prusnak darosior thestack sipsorcery jarolrod hg333 saviour1001 benthecarman guggero jamesob willcl-ark eriknylund namecoin orly3196 xirdigh hixio-mh alethebat8640 adamlaska manny27nyc cryptoaffiliate187 glozow jnewbery gruve-p bitcoin-foundations isabella232 vertiond ratthakorn2509 dunxen dergoegge kvaciral jonas-ott suchat932 see887777 bitcoinknots gezegorz1 samkenxstream apdlrcjafg19 charlescowan satsie kotrozvidka luckystarz007 chem-oil-petroleum-inc clean-earth randymcmillan bitcoincore-dev willyko miles170 charlestonx-dao kst-energy pinkdiamond1 5l1v3r1 bigquin quantum-platinum-cloud quantum-platinum-cloud frfredo pcgandhinj466 melodic-gemz gmh5225 emzy coinforensics cryptography-air app-bitcoin-com josibake theuni wambani-254 5atoshin tguntenaar 02059200079 lildeebo2002 sscornelius candicelaney2021 jordan23j valecia2023 ravikantcool2023 minhtolove js1darren marithon-production-of-choice svanstaa 0xb10c jircs1 deed76876 leoarod princeprince559 bennie-elvambuena scot-ringa rsync25 leclaire714 astrabacus delta1

guix.sigs's Issues

.

.

Notification for mismatching builds

In #1201 it turns out that @0xB10C had been building mismatching builds for a while, without it being noticed before.

It would be useful to have some kind of notification when this happens. A mismatching build always points to a problem, either (in the good case) a local configuration issue, but it can also be a bug in the build system or worst-case even a backdoor attempt. So it needs to be investigated.

See discussion here: #1201 (comment)

Combined keys

Currently I import the keys by running:

 KEY_URL=https://raw.githubusercontent.com/bitcoin-core/guix.sigs/main/builder-keys

 curl -sSL ${KEY_URL}/CoinForensics.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/Emzy.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/Sjors.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/TheCharlatan.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/achow101.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/benthecarman.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/cfields.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/darosior.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/dunxen.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/fanquake.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/glozow.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/guggero.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/hebasto.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/jackielove4u.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/josibake.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/laanwj.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/satsie.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/sipa.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/svanstaa.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/theStack.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/vertiond.gpg | gpg --import - \
 && curl -sSL ${KEY_URL}/willyko.gpg | gpg --import -

But as soon as new signers will be added or removed in the future, the script will break.

So why is there not a single file that bundles all the current keys so that I dont have to download them all individually?

Or otherwise at least a file that contains all the names of the signers, so that I can parse that instead of hardcoding the names in my code?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.