Import Zcash developer public keys

* Changes method for setting trust level of GPG keys * Import keys but don't use Ansible git verify_commit Per an upstream Ansible bug, verifying signed tags is not supported yet. Also removes non-working scp.sh script. Updates README to explain how to run gverify. Changes zcash_version to v1.0.0-rc2
2016-10-22 16:44:26 -07:00 · 2016-10-22 16:44:26 -07:00 · 00e9d9d76f
parent 396899dcc3
commit 00e9d9d76f
6 changed files with 46 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -85,6 +85,8 @@ Generating and uploading signatures

 After the build successfully completes, `gsign` will be called. Commit and push your signatures (both the .assert and .assert.sig files) to the [zcash/gitian.sigs](https://github.com/zcash/gitian.sigs) repository, or if that's not possible then create a pull request.

+Signatures can be verified by running `gitian-build.sh --verify`, but set `build=false` in the script to skip building. Run a `git pull` beforehand on `gitian.sigs` so you have the latest. The provisioning includes a task which imports Zcash developer public keys to the Vagrant user's keyring and sets them to ultimately trusted, but they can also be found at `contrib/gitian-downloader` within the Zcash source repository.
+
 Working with GPG and SSH
 --------------------------

@ -106,7 +108,7 @@ Vagrant synced folders may also work natively with `vboxfs` if you install Virtu
 Copying files
 -------------

-You can use the provided script `scp.sh`. Another way to do it is with a plugin.
+The easiest way to do it is with a plugin.

    vagrant plugin install vagrant-scp

--- a/gitian.yml
+++ b/gitian.yml
@ -4,7 +4,7 @@
  hosts: localhost:zcash-build
  vars:
    zcash_git_repo_url: https://github.com/zcash/zcash
-    zcash_version: v1.0.0-rc1
+    zcash_version: v1.0.0-rc2
    gpg_key_name: ''
    git_name: ''
    git_email: ''
--- a/roles/gitian/defaults/main.yml
+++ b/roles/gitian/defaults/main.yml
@ -9,3 +9,16 @@ zcash_gitian_sigs_repo: https://github.com/zcash/gitian.sigs
 zcash_version: master
 gitian_host_ip: 10.0.2.15
 lxc_guest_ip: 10.0.3.5
+zcash_developer_pubkeys:
+  - name: nathan
+    id: ED417FBE79C99E8C
+  - name: daira
+    id: 067F492098CF2762
+  - name: sean
+    id: 95684257D8F8B031
+  - name: jack
+    id: 0EC51FCDA94FB53E
+  - name: simon
+    id: C8F49C081F3AC6C4
+  - name: kevin
+    id: B604C32AD5D7C6D8
--- a/roles/gitian/tasks/keys.yml
+++ b/roles/gitian/tasks/keys.yml
@ -0,0 +1,25 @@
+---
+- name: Download Zcash developer public keys from website.
+  become: yes
+  get_url:
+    url: "https://z.cash/gpg-pubkeys/{{ item.name }}.asc"
+    dest: "/tmp/{{ item.id }}.asc"
+    owner: "{{ gitian_user }}"
+    group: "{{ gitian_user }}"
+    mode: "0644"
+  with_items: "{{ zcash_developer_pubkeys }}"
+
+- name: Import Zcash developer public keys.
+  command: "gpg --import /tmp/{{ item.id }}.asc"
+  become_user: "{{ gitian_user }}"
+  with_items: "{{ zcash_developer_pubkeys }}"
+
+- name: Set Zcash developer public keys to ultimately trusted.
+  shell: >
+    gpg --list-keys --with-colons --with-fingerprint `gpg --list-keys
+    --with-colons | grep "pub:f:.*:-:" |
+    sed -r -e 's/pub:f:[0-9]+:[0-9]+:([A-F0-9]+):.*/0x\1/'` | grep "^fpr:" |
+    sed -r -e 's/fpr:::::::::([0-9A-F]+):/\1:6:/' | gpg --import-ownertrust
+  become_user: "{{ gitian_user }}"
+  args:
+    executable: /bin/bash
--- a/roles/gitian/tasks/main.yml
+++ b/roles/gitian/tasks/main.yml
@ -21,6 +21,7 @@
    - curl
    - debootstrap
    - git-core
+    - gnupg2
    - kpartx
    - make
    - parted
@ -128,6 +129,9 @@
    force: yes
  become_user: "{{ gitian_user }}"

+- include: keys.yml
+  tags: keys
+
 - name: Clone git repository for Zcash.
  git:
    repo: "{{ zcash_git_repo_url }}"
--- a/scp.sh
+++ b/scp.sh
@ -1,3 +0,0 @@
-#!/bin/sh
-OPTIONS=`vagrant ssh-config zcash-build | awk -v ORS=' ' '{print "-o " $1 "=" $2}'`
-scp ${OPTIONS} "$@" || echo "Transfer failed."