From 51326851c2e69f872ad42fa95b3c51bb9866c211 Mon Sep 17 00:00:00 2001 From: Kevin Gallagher Date: Sat, 22 Oct 2016 16:43:13 -0700 Subject: [PATCH] Import keys but don't use Ansible git verify_commit Per an upstream Ansible bug, verifying signed tags is not supported yet. Also removes non-working scp.sh script. Updates README to explain how to run gverify. Changes zcash_version to v1.0.0-rc2 --- README.md | 7 +++---- gitian.yml | 3 +-- roles/gitian/defaults/main.yml | 1 - roles/gitian/tasks/{verify.yml => keys.yml} | 0 roles/gitian/tasks/main.yml | 6 ++---- scp.sh | 3 --- 6 files changed, 6 insertions(+), 14 deletions(-) rename roles/gitian/tasks/{verify.yml => keys.yml} (100%) delete mode 100755 scp.sh diff --git a/README.md b/README.md index 2642f50..2dc22bf 100644 --- a/README.md +++ b/README.md @@ -58,9 +58,6 @@ gpg_key_id: '' # OPTIONAL set to import your SSH key into the VM. Example: id_rsa, id_ed25519. Assumed to reside in ~/.ssh ssh_key_name: '' - -# Set to true in order to verify signed git tags while cloning Zcash. Developer public keys will be imported to the Vagrant user's GPG keyring. -git_verify_sigs: false ``` Make sure VirtualBox, Vagrant and Ansible are installed, and then run: @@ -88,6 +85,8 @@ Generating and uploading signatures After the build successfully completes, `gsign` will be called. Commit and push your signatures (both the .assert and .assert.sig files) to the [zcash/gitian.sigs](https://github.com/zcash/gitian.sigs) repository, or if that's not possible then create a pull request. +Signatures can be verified by running `gitian-build.sh --verify`, but set `build=false` in the script to skip building. Run a `git pull` beforehand on `gitian.sigs` so you have the latest. The provisioning includes a task which imports Zcash developer public keys to the Vagrant user's keyring and sets them to ultimately trusted, but they can also be found at `contrib/gitian-downloader` within the Zcash source repository. + Working with GPG and SSH -------------------------- @@ -109,7 +108,7 @@ Vagrant synced folders may also work natively with `vboxfs` if you install Virtu Copying files ------------- -You can use the provided script `scp.sh`. Another way to do it is with a plugin. +The easiest way to do it is with a plugin. vagrant plugin install vagrant-scp diff --git a/gitian.yml b/gitian.yml index 2ae1690..3d49e94 100644 --- a/gitian.yml +++ b/gitian.yml @@ -4,13 +4,12 @@ hosts: localhost:zcash-build vars: zcash_git_repo_url: https://github.com/zcash/zcash - zcash_version: v1.0.0-rc1 + zcash_version: v1.0.0-rc2 gpg_key_name: '' git_name: '' git_email: '' gpg_key_id: '' # optional ssh_key_name: '' # optional - git_verify_sigs: true roles: - role: common tags: common diff --git a/roles/gitian/defaults/main.yml b/roles/gitian/defaults/main.yml index d18a810..ee99fc5 100644 --- a/roles/gitian/defaults/main.yml +++ b/roles/gitian/defaults/main.yml @@ -9,7 +9,6 @@ zcash_gitian_sigs_repo: https://github.com/zcash/gitian.sigs zcash_version: master gitian_host_ip: 10.0.2.15 lxc_guest_ip: 10.0.3.5 -git_verify_sigs: false zcash_developer_pubkeys: - name: nathan id: ED417FBE79C99E8C diff --git a/roles/gitian/tasks/verify.yml b/roles/gitian/tasks/keys.yml similarity index 100% rename from roles/gitian/tasks/verify.yml rename to roles/gitian/tasks/keys.yml diff --git a/roles/gitian/tasks/main.yml b/roles/gitian/tasks/main.yml index 95d941a..2430981 100644 --- a/roles/gitian/tasks/main.yml +++ b/roles/gitian/tasks/main.yml @@ -129,9 +129,8 @@ force: yes become_user: "{{ gitian_user }}" -- include: verify.yml - tags: verify - when: git_verify_sigs == true +- include: keys.yml + tags: keys - name: Clone git repository for Zcash. git: @@ -139,7 +138,6 @@ dest: "/home/{{ gitian_user }}/zcash" version: "{{ zcash_version }}" force: yes - verify_commit: "{% if git_verify_sigs == true %}yes{% else %}no{% endif %}" become_user: "{{ gitian_user }}" - name: Clone git repository for Gitian signatures. diff --git a/scp.sh b/scp.sh deleted file mode 100755 index 3ff85f6..0000000 --- a/scp.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -OPTIONS=`vagrant ssh-config zcash-build | awk -v ORS=' ' '{print "-o " $1 "=" $2}'` -scp ${OPTIONS} "$@" || echo "Transfer failed."