Merge pull request #58 from charlieok/update_gitian_setup
Update gitian setup
This commit is contained in:
commit
b2f9de80b9
|
@ -0,0 +1,4 @@
|
|||
GPG_KEY_ID=3F14A629C06FA31D59C64FE93F0C2117D53A4A49
|
||||
GPG_KEY_NAME=hpotter
|
||||
ZCASH_GIT_REPO_URL=https://github.com/zcash/zcash
|
||||
ZCASH_VERSION=v2.0.4
|
|
@ -0,0 +1,5 @@
|
|||
source_up
|
||||
dotenv
|
||||
|
||||
export GIT_NAME=`git config user.name`
|
||||
export GIT_EMAIL=`git config user.email`
|
|
@ -1,4 +1,8 @@
|
|||
.env
|
||||
.envrc
|
||||
.vagrant/*
|
||||
*.swp
|
||||
gitian.sigs/*
|
||||
local/*
|
||||
!local/README.md
|
||||
zcash-binaries/*
|
||||
|
|
329
README.md
329
README.md
|
@ -21,7 +21,7 @@ If you're using one of the following platforms, see the linked instructions for
|
|||
|
||||
- [Debian 9.x](dependency_install_steps_by_platform/Debian_9.x.md)
|
||||
- [Ubuntu 18.04.x](dependency_install_steps_by_platform/Ubuntu_18.04.x.md)
|
||||
- [macOS 10.13.x](dependency_install_steps_by_platform/macOS_10.13.x.md)
|
||||
- [macOS](dependency_install_steps_by_platform/macOS.md)
|
||||
|
||||
|
||||
If you're not using one of the platforms that we have specific instructions for, this is the list of
|
||||
|
@ -31,22 +31,9 @@ above!
|
|||
- [Git](https://git-scm.com/)
|
||||
- [VirtualBox](https://www.virtualbox.org/)
|
||||
- [Vagrant](https://www.vagrantup.com/) 2.0.3 or higher
|
||||
- [Ansible](https://www.ansible.com/) 2.4.x or higher
|
||||
- [GnuPG](https://www.gnupg.org/) 2.x (2.11.18 or greater) and make sure it is callable via `gpg2`
|
||||
|
||||
|
||||
## Install the `vagrant-disksize` plugin to support resize of the start up disk:
|
||||
|
||||
```
|
||||
$ vagrant plugin install vagrant-disksize
|
||||
```
|
||||
|
||||
Most recently tested 2019-02-13 with the following vagrant-disksize release:
|
||||
|
||||
```
|
||||
$ vagrant plugin list
|
||||
vagrant-disksize (0.1.3)
|
||||
```
|
||||
- [GnuPG](https://www.gnupg.org/) 2.x (2.11.18 or greater)
|
||||
- [Python](https://www.python.org/) 3.x (with `venv` support in case that is packaged separately)
|
||||
- [direnv](https://direnv.net/) (Optional/Recommended)
|
||||
|
||||
|
||||
|
||||
|
@ -75,8 +62,8 @@ $ git config user.email
|
|||
hpotter@hogwarts.wiz
|
||||
```
|
||||
|
||||
This is all the configuration needed for the steps below, but here is a good reference for further
|
||||
reading on configuring git:
|
||||
This is all the git configuration needed for the steps below, but here is a good reference for
|
||||
further reading on configuring git:
|
||||
|
||||
https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration
|
||||
|
||||
|
@ -87,7 +74,7 @@ https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration
|
|||
You can generate a keypair specifically for connecting to github like this:
|
||||
|
||||
```
|
||||
$ ssh-keygen -t rsa -C "hpotter@hogwarts.wiz" -f ~/.ssh/github_id_rsa -N ''
|
||||
$ ssh-keygen -t rsa -b 4096 -C "hpotter@hogwarts.wiz" -f ~/.ssh/github_id_rsa -N ''
|
||||
Generating public/private rsa key pair.
|
||||
Your identification has been saved in /Users/hpotter/.ssh/github_id_rsa.
|
||||
Your public key has been saved in /Users/hpotter/.ssh/github_id_rsa.pub.
|
||||
|
@ -159,20 +146,241 @@ $
|
|||
|
||||
## Clone this git project on your machine
|
||||
|
||||
From a location where you want to place your local clone of this repository (e.g. `~/Projects`)
|
||||
|
||||
```
|
||||
$ git clone git@github.com:zcash/zcash-gitian.git
|
||||
```
|
||||
|
||||
cd into the project repo
|
||||
|
||||
```
|
||||
$ cd zcash-gitian
|
||||
zcash-gitian
|
||||
```
|
||||
|
||||
|
||||
## Add git config values to gitian.yml
|
||||
## Copy example environment configuration files
|
||||
|
||||
The `gitian.yml` file in the root of the project has some blank values that need to be updated or
|
||||
filled in:
|
||||
The files `.env.example` and `.envrc.example` are tracked in the repo as example configurations you
|
||||
should be able to use to get started. The filenames `.env` and `.envrc` are `.gitignore`'d to allow
|
||||
you to easily make local customizations that don't show up as untracked changes.
|
||||
|
||||
- `zcash_version`: The git tag name of the version of zcash you want to build
|
||||
- `git_name`: You probably want the output from `git config user.name`
|
||||
- `git_email`: You probably want the output from `git config user.email`
|
||||
Note that `.envrc` is probably only useful if you are using `direnv`. If you're not, you can ignore
|
||||
that file and the places below that talk about it, and use your preferred way of managing
|
||||
environment variables instead.
|
||||
|
||||
```
|
||||
zcash-gitian$ cp .env.example .env
|
||||
zcash-gitian$ cp .envrc.example .envrc
|
||||
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
More on that above message in the following section...
|
||||
|
||||
|
||||
|
||||
## Enable auto-execution of .envrc
|
||||
|
||||
If you installed and activated `direnv`, it will detect when `.envrc` is created in your current
|
||||
directory, as shown above. As a security precaution, it won't automatically run it without your
|
||||
approval (to prevent untrusted code from doing something malicious). Let's take a look at what's in
|
||||
the file:
|
||||
|
||||
```
|
||||
zcash-gitian$ cat .envrc
|
||||
source_up
|
||||
dotenv
|
||||
|
||||
export GIT_NAME=`git config user.name`
|
||||
export GIT_EMAIL=`git config user.email`
|
||||
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
Some explanation of the lines in the above `.envrc` file:
|
||||
|
||||
```
|
||||
`source_up` Load any .envrc higher up in the folder structure. So if for
|
||||
example you place an `.envrc` in your home directory, variables
|
||||
set there will still be available within this project, rather
|
||||
than being overridden by this project's `.envrc`.
|
||||
|
||||
`dotenv` Set the environment variables defined in `.env`. Think of
|
||||
`.envrc` as code (it runs in a bash interpreter with some extra
|
||||
functions added) and `.env` as data (you can basically just set
|
||||
literal values, and each update to it doesn't require approval).
|
||||
|
||||
|
||||
export GIT_NAME=`git config user.name`
|
||||
export GIT_EMAIL=`git config user.email`
|
||||
|
||||
Use your local git configuration values for the name and email
|
||||
that will be used to add build signatures inside the virtual
|
||||
environment.
|
||||
```
|
||||
|
||||
|
||||
If you're ok with running `.envrc`, follow the directions in the prompt to allow it.
|
||||
|
||||
```
|
||||
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
|
||||
|
||||
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
|
||||
zcash-gitian$ direnv allow
|
||||
direnv: loading .envrc
|
||||
direnv: export +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +ZCASH_GIT_REPO_URL +ZCASH_VERSION
|
||||
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
|
||||
https://github.com/zcash/zcash
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
A variable defined in `.env` is now active in our environment. If we leave this project, it is
|
||||
unloaded. When we return, it is reloaded:
|
||||
|
||||
```
|
||||
zcash-gitian$ cd ..
|
||||
direnv: unloading
|
||||
$ echo $ZCASH_GIT_REPO_URL
|
||||
|
||||
$ cd zcash-gitian/
|
||||
direnv: loading .envrc
|
||||
direnv: export +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +ZCASH_GIT_REPO_URL +ZCASH_VERSION
|
||||
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
|
||||
https://github.com/zcash/zcash
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
Project-specific environment settings will come in handy in the next step, when we'll create an
|
||||
isolated python virtual environment specifically for use with this project.
|
||||
|
||||
|
||||
|
||||
## Create a python virtual environment for this project
|
||||
|
||||
Note: The main purpose of this part is to get a current version of ansible, and keep it locally
|
||||
within this project. If you already installed ansible (e.g. from an OS package manager like apt),
|
||||
you can skip this part and the following parts about pip and pip packages.
|
||||
|
||||
When creating a virtual environment, call the python executable you want the virtual environment to
|
||||
use. The location and version will depend on your specific setup -- your OS may provide a suitably
|
||||
current python interpreter, or you may have built and installed one yourself. If it's in your PATH,
|
||||
a command like `type python3` should tell you where it is installed on your system. For example:
|
||||
|
||||
```
|
||||
zcash-gitian$ type python3
|
||||
python3 is /usr/local/bin/python3
|
||||
zcash-gitian$ /usr/local/python3 --version
|
||||
Python 3.7.2
|
||||
```
|
||||
|
||||
We can use python's built-in `venv` module to create a virtual environment:
|
||||
|
||||
```
|
||||
zcash-gitian$ /usr/local/bin/python3 -m venv local/python_v3.7.2_venv
|
||||
```
|
||||
|
||||
Translation: "Create a virtual environment at ./local/python_v3.7.2_venv".
|
||||
|
||||
The project subdirectory `local` is `.gitignored` to provide a convenient location for files we
|
||||
don't want to commit and track in version control.
|
||||
|
||||
You should now have a tree of directories and files in `local/python_v3.7.2_venv`:
|
||||
|
||||
```
|
||||
zcash-gitian$ ls -F local/python_v3.7.2_venv/
|
||||
bin/ include/ lib/ pyvenv.cfg
|
||||
```
|
||||
|
||||
Inside the `bin` directory, among other things, are the entries `python` and `python3`, which are
|
||||
symlinks that point back to the `python3` executable we used to create this environment:
|
||||
|
||||
```
|
||||
zcash-gitian$ ls -F local/python_v3.7.2_venv/bin/
|
||||
activate activate.fish easy_install-3.7* pip3* python@
|
||||
activate.csh easy_install* pip* pip3.7* python3@
|
||||
```
|
||||
|
||||
A python virtual environment is 'active' if the python interpreter being executed is run from its
|
||||
path inside the environment's `bin` directory. Even though the file being executed is the same
|
||||
whether run directly or via a symlink, it pays attention to the path of the command that was used to
|
||||
run it.
|
||||
|
||||
An `activate` script is provided, and you can use that, but if you're using `direnv` you can set up
|
||||
a simple automatic activation for the project directory by adding the following line to `.envrc`:
|
||||
|
||||
```
|
||||
load_prefix local/python_v3.7.2_venv
|
||||
```
|
||||
|
||||
The command `load_prefix` is provided by `direnv` to modify a whole set of common "path" variables
|
||||
(including PATH) according to a common unix pattern.
|
||||
|
||||
Let's add that line now:
|
||||
|
||||
```
|
||||
zcash-gitian$ echo "load_prefix local/python_v3.7.2_venv" >> .envrc
|
||||
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
|
||||
zcash-gitian$ direnv allow
|
||||
direnv: loading .envrc
|
||||
direnv: export +CPATH +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +LD_LIBRARY_PATH +LIBRARY_PATH +MANPATH +PKG_CONFIG_PATH +ZCASH_GIT_REPO_URL +ZCASH_VERSION ~PATH
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
When the content of `.envrc` is changed, it needs to be approved again (another security
|
||||
precaution). Then, several variables were set or updated to add paths within our virtual environment
|
||||
directory at the front (left side) of the list. Let's look at PATH and its effect on which `python`
|
||||
locations we default to:
|
||||
|
||||
```
|
||||
zcash-gitian$ echo $PATH
|
||||
/Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.2_venv/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
|
||||
zcash-gitian$ type python
|
||||
python is /Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.2_venv/bin/python
|
||||
zcash-gitian$ type python3
|
||||
python3 is /Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.2_venv/bin/python3
|
||||
```
|
||||
|
||||
Since the `python` and `python3` commands will now run from the locations we've installed into our
|
||||
project's virtual environment while we are in the project directory, we can consider the virtual
|
||||
environment active when using a shell at (or below) that location.
|
||||
|
||||
|
||||
|
||||
## Upgrade pip
|
||||
|
||||
`pip` has a command to upgrade itself. Let's go ahead and run that:
|
||||
|
||||
```
|
||||
zcash-gitian$ pip --version
|
||||
pip 18.1 from /Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.2_venv/lib/python3.7/site-packages/pip (python 3.7)
|
||||
zcash-gitian$ pip install --upgrade pip
|
||||
Collecting pip
|
||||
[...]
|
||||
Successfully installed pip-19.0.3
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install pip packages
|
||||
|
||||
We have some dependencies to install as python packages, using the pip package manager installed
|
||||
above. The set we need, with version numbers managed via git, is in `requirements-pip.lock`; we can
|
||||
run `pip install` with that file as input:
|
||||
|
||||
```
|
||||
zcash-gitian$ pip install --requirement requirements-pip.lock
|
||||
```
|
||||
|
||||
Check that you can run `ansible` from the command line:
|
||||
|
||||
```
|
||||
zcash-gitian$ ansible --version
|
||||
ansible 2.7.9
|
||||
[...]
|
||||
zcash-gitian$
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
@ -182,7 +390,7 @@ You can generate a keypair specifically for zcash gitian builds with a command l
|
|||
|
||||
|
||||
```
|
||||
$ gpg2 --quick-generate-key --batch --passphrase '' "Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>"
|
||||
zcash-gitian$ gpg --quick-generate-key --batch --passphrase '' "Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>"
|
||||
gpg: key 3F0C2117D53A4A49 marked as ultimately trusted
|
||||
gpg: directory '/home/hpotter/.gnupg/openpgp-revocs.d' created
|
||||
gpg: revocation certificate stored as '/home/hpotter/.gnupg/openpgp-revocs.d/3F14A629C06FA31D59C64FE93F0C2117D53A4A49.rev'
|
||||
|
@ -205,7 +413,7 @@ Some explanation of the arguments used in the above example:
|
|||
You can check that the key was generated and added to your local gpg key database, and see its
|
||||
fingerprint value, like this:
|
||||
```
|
||||
$ gpg2 --list-keys
|
||||
zcash-gitian$ gpg --list-keys
|
||||
/home/hpotter/.gnupg/pubring.kbx
|
||||
----------------------------------
|
||||
pub rsa2048 2018-04-23 [SC] [expires: 2020-04-22]
|
||||
|
@ -214,14 +422,34 @@ uid [ultimate] Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>
|
|||
sub rsa2048 2018-04-23 [E]
|
||||
```
|
||||
|
||||
Update the `gpg_key_id` and `gpg_key_name` entries in `gitian.yml` as follows:
|
||||
Update your `GPG_KEY_ID` and `GPG_KEY_NAME` variables in `.env` as follows:
|
||||
|
||||
- `gpg_key_id`: In the example output shown here, this is the 40 character string
|
||||
- `GPG_KEY_ID`: In the example output shown here, this is the 40 character string
|
||||
`3F14A629C06FA31D59C64FE93F0C2117D53A4A49`. Some versions of gpg may truncate this value, e.g. to 8
|
||||
or 16 characters. You should be able to use the truncated value.
|
||||
|
||||
- `gpg_key_name`: the part before the @ symbol of the associated email address. In our example
|
||||
this is `hpotter`.
|
||||
- `GPG_KEY_NAME`: This is passed as the '--signer' argument to Gitian, and used as the name of a
|
||||
directory for your signatures in our `gitian.sigs` repository. We suggest using the username portion
|
||||
of the email address associated with your GPG key. In our example this is `hpotter`.
|
||||
|
||||
|
||||
|
||||
## Install Vagrant plugins
|
||||
|
||||
This project uses some 3rd party Vagrant plugins. These dependencies are specified in `Vagrantfile`.
|
||||
We can install them locally in the `.vagrant` directory with the following command:
|
||||
|
||||
```
|
||||
zcash-gitian$ vagrant plugin install --local
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Configure the version of zcash you want to build and sign
|
||||
|
||||
Set the value of the `ZCASH_VERSION` variable in `.env` to point to the zcash commit you want to
|
||||
create a signature for. Likely you want the name of a git tag, such as `v2.0.4`.
|
||||
|
||||
|
||||
|
||||
## Provision a virtual machine
|
||||
|
@ -229,14 +457,12 @@ this is `hpotter`.
|
|||
From the project root directory, run:
|
||||
|
||||
```
|
||||
$ vagrant up --provision zcash-build
|
||||
zcash-gitian$ vagrant up --provision zcash-build
|
||||
```
|
||||
|
||||
This will provision a Gitian host virtual machine that uses a Linux container (LXC) guest to perform
|
||||
the actual builds.
|
||||
|
||||
Use `git stash` to save one's local customizations to `gitian.yml`.
|
||||
|
||||
|
||||
Load your ssh key into ssh-agent
|
||||
--------------------------------
|
||||
|
@ -247,13 +473,13 @@ This way, we don't need to copy ssh keys into the VM. You can verify that the ke
|
|||
running `ssh-add -l`.
|
||||
|
||||
```
|
||||
$ ssh-add -l
|
||||
zcash-gitian$ ssh-add -l
|
||||
The agent has no identities.
|
||||
|
||||
$ ssh-add ~/.ssh/github_id_rsa
|
||||
zcash-gitian$ ssh-add ~/.ssh/github_id_rsa
|
||||
Identity added: /home/hpotter/.ssh/github_id_rsa (/home/hpotter/.ssh/github_id_rsa)
|
||||
|
||||
$ ssh-add -l
|
||||
zcash-gitian$ ssh-add -l
|
||||
4096 SHA256:4fFdwJ71VIpF5cW0dqrsU7jxjctaFcAKmdQZPEqR0Y4 /home/hpotter/.ssh/github_id_rsa (RSA)
|
||||
```
|
||||
|
||||
|
@ -264,7 +490,7 @@ SSH into the VM
|
|||
Vagrant should now show that the new VM is in the 'running' state:
|
||||
|
||||
```
|
||||
$ vagrant status
|
||||
zcash-gitian$ vagrant status
|
||||
Current machine states:
|
||||
|
||||
zcash-build running (virtualbox)
|
||||
|
@ -280,14 +506,14 @@ ssh-add again to see that your forwarded key is available, and check that you ca
|
|||
authenticate to github.
|
||||
|
||||
```
|
||||
$ vagrant ssh zcash-build
|
||||
zcash-gitian$ vagrant ssh zcash-build
|
||||
[...]
|
||||
|
||||
# on the virtualbox vm
|
||||
$ ssh-add -l
|
||||
vagrant@zcash-build:~$ ssh-add -l
|
||||
4096 d1:43:75:a7:95:65:9e:d4:8e:57:d8:98:58:7d:92:4c /home/hpotter/.ssh/github_id_rsa (RSA)
|
||||
|
||||
$ ssh -T git@github.com
|
||||
vagrant@zcash-build:~$ ssh -T git@github.com
|
||||
Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts.
|
||||
Hi harrypotter! You've successfully authenticated, but GitHub does not provide shell access.
|
||||
```
|
||||
|
@ -300,7 +526,7 @@ Once in a shell session in the VM, we're ready to run the gitian build.
|
|||
|
||||
```
|
||||
# on the virtualbox vm
|
||||
$ ./gitian-build.sh
|
||||
vagrant@zcash-build:~$ ./gitian-build.sh
|
||||
```
|
||||
|
||||
The output from `gbuild` is informative. There are some common warnings which can be ignored, e.g. if you get an intermittent privileges error related to LXC then just execute the script again. The most important thing is that one reaches the step which says `Running build script (log in var/build.log)`. If not, then something else is wrong and you should let us know.
|
||||
|
@ -312,7 +538,18 @@ It's also a good idea to regularly `git pull` on this repository to obtain updat
|
|||
Generating and uploading signatures
|
||||
-----------------------------------
|
||||
|
||||
After the build successfully completes, the gitian command `gsign` will be called. Commit and push your signatures (both the .assert and .assert.sig files) to the [zcash/gitian.sigs](https://github.com/zcash/gitian.sigs) repository, or if that's not possible then create a pull request.
|
||||
After the build successfully completes, the gitian command `gsign` will be called, which will
|
||||
generate signatures, and a commit will be added. You can cd into the gitian.sigs directory, set the
|
||||
repository to point to your fork of [zcash/gitian.sigs](https://github.com/zcash/gitian.sigs), push
|
||||
your updates to a branch, and then make a pull request on github.
|
||||
|
||||
```
|
||||
cd gitian.sigs
|
||||
git remote rename origin upstream
|
||||
git remote add origin git@github.com:harrypotter/zcash-gitian.git
|
||||
git checkout -b v2.0.4
|
||||
git push origin v2.0.4
|
||||
```
|
||||
|
||||
Signatures can be verified by running `gitian-build.sh --verify`, but set `build=false` in the script to skip building. Run a `git pull` beforehand on `gitian.sigs` so you have the latest. The provisioning includes a task which imports Zcash developer public keys to the Vagrant user's keyring and sets them to ultimately trusted, but they can also be found at `contrib/gitian-downloader` within the Zcash source repository.
|
||||
|
||||
|
@ -335,10 +572,6 @@ Vagrant synced folders may also work natively with `vboxfs` if you install Virtu
|
|||
Copying files
|
||||
-------------
|
||||
|
||||
The easiest way to do it is with a plugin.
|
||||
|
||||
vagrant plugin install vagrant-scp
|
||||
|
||||
To copy files to the VM: `vagrant scp file_on_host.txt :file_on_vm.txt`
|
||||
|
||||
To copy files from the VM: `vagrant scp :file_on_vm.txt file_on_host.txt`
|
||||
|
|
|
@ -2,6 +2,11 @@
|
|||
# vi: set ft=ruby :
|
||||
Vagrant.configure(2) do |config|
|
||||
|
||||
config.vagrant.plugins = {
|
||||
"vagrant-disksize" => {"version" => "0.1.3"},
|
||||
"vagrant-scp" => {"version" => "0.5.7"}
|
||||
}
|
||||
|
||||
config.ssh.forward_agent = true
|
||||
config.disksize.size = '16GB'
|
||||
config.vm.define 'zcash-build', autostart: false do |gitian|
|
||||
|
|
|
@ -126,79 +126,59 @@ Vagrant 2.2.4
|
|||
|
||||
|
||||
|
||||
# Install pip (python package manager)
|
||||
# Install venv support
|
||||
|
||||
We'll use this to install ansible, so we can be on a more current version of ansible than the one
|
||||
Debian provides with its 'stretch' distribution.
|
||||
`venv` is a python module used to create isolated project-specific environments, so that projects on
|
||||
the same computer can each use their own version of the python executable and their own set of
|
||||
installed python modules.
|
||||
|
||||
`python3-venv` is an `apt` package that includes support for using the `venv` python module.
|
||||
|
||||
```
|
||||
sudo apt install python-pip
|
||||
sudo apt install python3-venv
|
||||
```
|
||||
|
||||
Most recently tested 2019-02-13 with the following pip release:
|
||||
Most recently tested 2019-03-05 with the following python3-venv release:
|
||||
|
||||
```
|
||||
$ pip --version
|
||||
pip 9.0.1 from /usr/lib/python2.7/dist-packages (python 2.7)
|
||||
$ dpkg --status python3-venv | grep Version
|
||||
Version: 3.5.3-1
|
||||
```
|
||||
|
||||
|
||||
|
||||
# Install ansible 2.4.x or higher
|
||||
# Install direnv (Optional/Recommended)
|
||||
|
||||
This tool sets and unsets environment variables as you change directories in a shell session,
|
||||
providing a convenient facility for setting up project-specific configuration.
|
||||
|
||||
```
|
||||
pip install --user -U ansible
|
||||
sudo apt install direnv
|
||||
```
|
||||
|
||||
This will place an `ansible` executable in `~/.local/bin`, so add the following to `~/.bashrc`:
|
||||
To activate direnv when starting bash (the default shell on Debian 9), add the following line to the
|
||||
end of `~/.bashrc`:
|
||||
|
||||
```
|
||||
# set PATH so it includes user's private .local/bin if it exists
|
||||
if [ -d "$HOME/.local/bin" ] ; then
|
||||
PATH="$HOME/.local/bin:$PATH"
|
||||
fi
|
||||
eval "$(direnv hook bash)"
|
||||
```
|
||||
|
||||
Then restart your shell or source .bashrc in your shell session:
|
||||
direnv works by incorporating a call to `_direnv_hook` in the `PROMPT_COMMAND` shell variable. You
|
||||
can check that this was done by starting a new bash session and checking whether that value is
|
||||
present:
|
||||
|
||||
```
|
||||
$ source .bashrc
|
||||
$ echo $PROMPT_COMMAND
|
||||
_direnv_hook;
|
||||
```
|
||||
|
||||
Most recently tested 2019-02-13 with the following ansible release:
|
||||
direnv also supports several other shells -- zsh, fish, tcsh, and elvish as of this writing. Its
|
||||
website includes instructions for enabling each of the shells it supports.
|
||||
|
||||
Most recently tested 2019-03-21 with the following direnv release:
|
||||
|
||||
```
|
||||
$ ansible --version
|
||||
ansible 2.7.7
|
||||
...
|
||||
```
|
||||
|
||||
|
||||
|
||||
# Install GnuPG 2.x (2.1.18 or greater)
|
||||
|
||||
This is likely already installed and runnable via 'gpg'
|
||||
|
||||
```
|
||||
$ gpg --version
|
||||
gpg (GnuPG) 2.1.18
|
||||
|
||||
```
|
||||
|
||||
We want to be able to run it using the command 'gpg2'. For that we can install the gnupg2 package.
|
||||
|
||||
According to the description of that package, “This is a dummy transitional package that provides
|
||||
symlinks from gpg2 to gpg.”
|
||||
https://packages.debian.org/stretch/gnupg2
|
||||
|
||||
```
|
||||
$ sudo apt install gnupg2
|
||||
```
|
||||
|
||||
Most recently tested 2019-02-13 with the following GnuPG release:
|
||||
|
||||
```
|
||||
$ gpg2 --version
|
||||
gpg (GnuPG) 2.1.18
|
||||
...
|
||||
$ direnv --help
|
||||
direnv v2.10.0
|
||||
[...]
|
||||
```
|
||||
|
|
|
@ -2,46 +2,91 @@
|
|||
|
||||
This document assumes you are starting from a fresh install of Ubuntu in the 18.04.x series.
|
||||
|
||||
Most recently tested 2018-05-21 with the following ubuntu release:
|
||||
|
||||
## Install Git, VirtualBox, and rng-tools
|
||||
|
||||
```
|
||||
$ lsb_release --description
|
||||
Description: Ubuntu 18.04 LTS
|
||||
$ sudo apt install git virtualbox rng-tools
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Git, VirtualBox, Ansible, GnuPG, and rng-tools
|
||||
|
||||
```
|
||||
$ sudo apt install git virtualbox ansible gnupg2 rng-tools
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Vagrant 2.0.3 or higher
|
||||
# Install Vagrant 2.0.3 or higher
|
||||
|
||||
As of this writing, the vagrant version that Ubuntu 18.04 uses is 2.0.2 so we suggest a later
|
||||
release in the 2.0.x series.
|
||||
|
||||
```
|
||||
$ wget https://releases.hashicorp.com/vagrant/2.0.4/vagrant_2.0.4_x86_64.deb
|
||||
...
|
||||
$ sudo apt install ./vagrant_2.0.4_x86_64.deb
|
||||
...
|
||||
$ dpkg --status vagrant
|
||||
Package: vagrant
|
||||
Status: install ok installed
|
||||
...
|
||||
$ rm ./vagrant_2.0.4_x86_64.deb
|
||||
wget -c https://releases.hashicorp.com/vagrant/2.2.4/vagrant_2.2.4_x86_64.deb
|
||||
sudo dpkg -i vagrant_2.2.4_x86_64.deb
|
||||
rm vagrant_2.2.4_x86_64.deb
|
||||
```
|
||||
|
||||
Most recently tested 2019-03-26 with the following vagrant release:
|
||||
|
||||
```
|
||||
$ vagrant --version
|
||||
Vagrant 2.2.4
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Choice: Install Ansible via apt now or pip later
|
||||
|
||||
You can install ansible to a system-wide location using Ubuntu's apt tool, which will be a less
|
||||
current version, with infrequent updates, or choose another method described later to install it via
|
||||
a python package in a project-local virtual environment. The apt method is a bit easier, while the
|
||||
python method is ansible's native distribution channel and will be more current and more frequently
|
||||
updated.
|
||||
|
||||
If you choose the apt option, run this command:
|
||||
|
||||
```
|
||||
$ sudo apt install ansible
|
||||
```
|
||||
|
||||
If you choose the python/pip option, run this command:
|
||||
|
||||
```
|
||||
$ sudo apt install python3-venv
|
||||
```
|
||||
|
||||
|
||||
|
||||
# Install direnv (Optional/Recommended)
|
||||
|
||||
This tool sets and unsets environment variables as you change directories in a shell session,
|
||||
providing a convenient facility for setting up project-specific configuration.
|
||||
|
||||
```
|
||||
sudo apt install direnv
|
||||
```
|
||||
|
||||
To activate direnv when starting bash (the default shell on Debian 9), add the following line to the
|
||||
end of `~/.bashrc`:
|
||||
|
||||
```
|
||||
eval "$(direnv hook bash)"
|
||||
```
|
||||
|
||||
direnv works by incorporating a call to `_direnv_hook` in the `PROMPT_COMMAND` shell variable. You
|
||||
can check that this was done by starting a new bash session and checking whether that value is
|
||||
present:
|
||||
|
||||
```
|
||||
$ echo $PROMPT_COMMAND
|
||||
_direnv_hook;
|
||||
```
|
||||
|
||||
direnv also supports several other shells -- zsh, fish, tcsh, and elvish as of this writing. Its
|
||||
website includes instructions for enabling each of the shells it supports.
|
||||
|
||||
|
||||
|
||||
|
||||
## Versions
|
||||
|
||||
Most recently tested 2018-05-21 with the following versions:
|
||||
Most recently tested 2018-03-26 with the following versions:
|
||||
|
||||
|
||||
### Ubuntu
|
||||
|
@ -56,7 +101,7 @@ Description: Ubuntu 18.04 LTS
|
|||
|
||||
```
|
||||
$ git --version
|
||||
git version 2.17.0
|
||||
git version 2.17.1
|
||||
```
|
||||
|
||||
|
||||
|
@ -64,7 +109,7 @@ git version 2.17.0
|
|||
|
||||
```
|
||||
$ virtualbox --help
|
||||
Oracle VM VirtualBox Manager 5.2.10_Ubuntu
|
||||
Oracle VM VirtualBox Manager 5.2.18_Ubuntu
|
||||
...
|
||||
```
|
||||
|
||||
|
@ -74,21 +119,14 @@ Oracle VM VirtualBox Manager 5.2.10_Ubuntu
|
|||
```
|
||||
$ ansible --version
|
||||
ansible 2.5.1
|
||||
[...]
|
||||
```
|
||||
|
||||
|
||||
### GnuPG
|
||||
### direnv
|
||||
|
||||
```
|
||||
$ gpg2 --version
|
||||
gpg (GnuPG) 2.2.4
|
||||
...
|
||||
```
|
||||
|
||||
|
||||
### Vagrant
|
||||
|
||||
```
|
||||
$ vagrant --version
|
||||
Vagrant 2.0.4
|
||||
$ direnv --help
|
||||
direnv v2.15.0
|
||||
[...]
|
||||
```
|
||||
|
|
|
@ -0,0 +1,179 @@
|
|||
# Dependency installation steps for macOS
|
||||
|
||||
This document assumes you are starting from a fresh install of macOS.
|
||||
|
||||
Most recently tested 2019-03-22 with the following macOS release:
|
||||
|
||||
```
|
||||
$ sw_vers
|
||||
ProductName: Mac OS X
|
||||
ProductVersion: 10.14.3
|
||||
BuildVersion: 18D109
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Make sure Git is installed
|
||||
|
||||
macOS includes git, so you should already have that. It may prompt you to set up developer tools if
|
||||
you're using it for the first time.
|
||||
|
||||
Most recently tested 2019-03-22 with the following git release:
|
||||
|
||||
```
|
||||
$ git --version
|
||||
git version 2.17.2 (Apple Git-113)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Homebrew
|
||||
|
||||
Homebrew's site gives a shell command to download and install it
|
||||
https://brew.sh/
|
||||
|
||||
To update both the installed homebrew version and its list of formulae:
|
||||
|
||||
```
|
||||
$ brew update
|
||||
```
|
||||
|
||||
To upgrade software installed via brew:
|
||||
|
||||
```
|
||||
$ brew upgrade <formula name>
|
||||
```
|
||||
|
||||
Homebrew has a search page you can use to look up formula names: http://formulae.brew.sh/
|
||||
|
||||
Most recently tested 2019-03-22 with the following Homebrew release:
|
||||
|
||||
```
|
||||
$ brew --version
|
||||
Homebrew 2.0.5
|
||||
Homebrew/homebrew-core (git revision b26ddf; last commit 2019-03-21)
|
||||
Homebrew/homebrew-cask (git revision 8a0f5; last commit 2019-03-21)
|
||||
```
|
||||
|
||||
That last line about "homebrew-cask" refers to a component that started as a separate plugin and now
|
||||
comes with homebrew by default. The subcommand 'cask' can be used to manage the types of installs
|
||||
mac users ordinarily do manually - the "drag to the applications folder" type and the "run an
|
||||
installer" type.
|
||||
|
||||
We'll use both "brew" and "brew cask" install methods in the steps below.
|
||||
|
||||
|
||||
|
||||
## Install Virtualbox
|
||||
|
||||
This one may fail on the first attempt with a prompt to allow software signed by Oracle. After doing
|
||||
that, the second attempt should succeed.
|
||||
|
||||
```
|
||||
$ brew cask install virtualbox
|
||||
```
|
||||
|
||||
Most recently tested 2019-03-22 with the following Virtualbox release:
|
||||
|
||||
```
|
||||
$ virtualbox --help
|
||||
Oracle VM VirtualBox VM Selector v6.0.4
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Vagrant
|
||||
|
||||
```
|
||||
$ brew cask install vagrant
|
||||
```
|
||||
|
||||
Most recently tested 2019-03-22 with the following Vagrant release:
|
||||
|
||||
```
|
||||
$ vagrant --version
|
||||
Vagrant 2.2.4
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install GnuPG 2.x (2.11.18 or greater)
|
||||
|
||||
```
|
||||
$ brew install gnupg
|
||||
```
|
||||
|
||||
Most recently tested 2019-03-22 with the following GnuPG release:
|
||||
|
||||
```
|
||||
$ gpg --version
|
||||
gpg (GnuPG) 2.2.14
|
||||
libgcrypt 1.8.4
|
||||
[...]
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Python 3.x
|
||||
|
||||
Python 2.x is installed by default in macOS, but we want to be more current. Installing the 'python'
|
||||
homebrew formula will get us python 3.x.
|
||||
|
||||
```
|
||||
$ brew install python
|
||||
```
|
||||
|
||||
This will install as the executable `python3`; running `python` will still get the macOS-managed
|
||||
python version:
|
||||
|
||||
```
|
||||
$ type python
|
||||
python is /usr/bin/python
|
||||
|
||||
$ type python3
|
||||
python3 is /usr/local/bin/python3
|
||||
```
|
||||
|
||||
Most recently tested 2019-03-22 with the following Python release:
|
||||
|
||||
```
|
||||
$ python3 --version
|
||||
Python 3.7.2
|
||||
```
|
||||
|
||||
|
||||
|
||||
# Install direnv (Optional/Recommended)
|
||||
|
||||
This tool sets and unsets environment variables as you change directories in a shell session,
|
||||
providing a convenient facility for setting up project-specific configuration.
|
||||
|
||||
```
|
||||
brew install direnv
|
||||
```
|
||||
|
||||
To activate direnv when starting bash (the default shell on macOS), add the following line to the
|
||||
end of `~/.profile`:
|
||||
|
||||
```
|
||||
eval "$(direnv hook bash)"
|
||||
```
|
||||
|
||||
direnv works by incorporating a call to `_direnv_hook` in the `PROMPT_COMMAND` shell variable. You
|
||||
can check that this was done by starting a new bash session and checking whether that value is
|
||||
present:
|
||||
|
||||
```
|
||||
$ echo $PROMPT_COMMAND
|
||||
_direnv_hook;
|
||||
```
|
||||
|
||||
direnv also supports several other shells -- zsh, fish, tcsh, and elvish as of this writing. Its
|
||||
website includes instructions for enabling each of the shells it supports.
|
||||
|
||||
Most recently tested 2019-03-22 with the following direnv release:
|
||||
|
||||
```
|
||||
$ direnv --version
|
||||
2.19.2
|
||||
```
|
|
@ -1,180 +0,0 @@
|
|||
# Dependency installation steps for macOS 10.x (aka High Sierra)
|
||||
|
||||
This document assumes you are starting from a fresh install of macOS.
|
||||
|
||||
Most recently tested 2018-04-17 with the following macOS release:
|
||||
|
||||
```
|
||||
$ sw_vers
|
||||
ProductName: Mac OS X
|
||||
ProductVersion: 10.13.4
|
||||
BuildVersion: 17E199
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Make sure Git is installed
|
||||
|
||||
macOS includes git, so you should already have that. It may prompt you to set up developer tools if
|
||||
you're using it for the first time.
|
||||
|
||||
Most recently tested 2018-04-17 with the following git release:
|
||||
|
||||
```
|
||||
$ git --version
|
||||
git version 2.15.1 (Apple Git-101)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Homebrew
|
||||
|
||||
Homebrew's site gives a shell command to download and install it
|
||||
https://brew.sh/
|
||||
|
||||
To update both the installed homebrew version and its list of formulae:
|
||||
|
||||
```
|
||||
$ brew update
|
||||
```
|
||||
|
||||
To upgrade software installed via brew:
|
||||
|
||||
```
|
||||
$ brew upgrade <formula name>
|
||||
```
|
||||
|
||||
Homebrew has a search page you can use to look up package names: http://formulae.brew.sh/
|
||||
|
||||
Most recently tested 2018-04-23 with the following Homebrew release:
|
||||
|
||||
```
|
||||
$ brew --version
|
||||
Homebrew 1.6.2
|
||||
Homebrew/homebrew-core (git revision 2251; last commit 2018-04-23)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Homebrew-Cask
|
||||
|
||||
Software projects offered as mac-specific downloads tend to come in one of two forms:
|
||||
- a file users can drag into their Applications folder
|
||||
- an installer application for users to execute
|
||||
|
||||
Homebrew-Cask is an extension to Homebrew designed to extend the benefits of package management to
|
||||
this category of mac software.
|
||||
|
||||
Homebrew-Cask's site gives a shell command to download and install it: https://caskroom.github.io/
|
||||
|
||||
The same `brew update` command given above to update Homebrew will also update Homebrew-Cask.
|
||||
|
||||
To upgrade software installed via cask:
|
||||
|
||||
```
|
||||
$ brew cask upgrade <cask-name>
|
||||
```
|
||||
|
||||
To upgrade all installed casks:
|
||||
|
||||
```
|
||||
$ brew cask upgrade
|
||||
```
|
||||
|
||||
Homebrew Cask also has a search page for package names: https://caskroom.github.io/search
|
||||
|
||||
Most recently tested 2018-04-23 with the following Homebrew-Cask release:
|
||||
|
||||
```
|
||||
$ brew cask --version
|
||||
Homebrew-Cask 1.6.2
|
||||
caskroom/homebrew-cask (git revision 5f4c5d; last commit 2018-04-23)
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Virtualbox
|
||||
|
||||
```
|
||||
$ brew cask install virtualbox
|
||||
```
|
||||
|
||||
Most recently tested 2018-04-23 with the following Virtualbox release:
|
||||
|
||||
```
|
||||
$ virtualbox --help
|
||||
Oracle VM VirtualBox Manager 5.2.10
|
||||
...
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Vagrant
|
||||
|
||||
```
|
||||
$ brew cask install vagrant
|
||||
```
|
||||
|
||||
Most recently tested 2018-04-23 with the following Vagrant release:
|
||||
|
||||
```
|
||||
$ vagrant --version
|
||||
Vagrant 2.0.4
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install Ansible
|
||||
|
||||
```
|
||||
$ brew install ansible
|
||||
```
|
||||
|
||||
Most recently tested 2018-04-23 with the following Ansible release:
|
||||
|
||||
```
|
||||
$ ansible --version
|
||||
ansible 2.5.1
|
||||
...
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Install GnuPG 2.x (2.11.18 or greater)
|
||||
|
||||
```
|
||||
$ brew install gnupg
|
||||
```
|
||||
|
||||
Most recently tested 2018-04-23 with the following GnuPG release:
|
||||
|
||||
```
|
||||
$ gpg --version
|
||||
gpg (GnuPG) 2.2.6
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Make sure 'gpg2' can be called
|
||||
|
||||
As of this writing, we have ansible tasks that make calls to 'gpg2' while the gnupg homebrew package
|
||||
installs the executable 'gpg'.
|
||||
|
||||
```
|
||||
$ type gpg
|
||||
gpg is /usr/local/bin/gpg
|
||||
$ type gpg2
|
||||
-bash: type: gpg2: not found
|
||||
```
|
||||
|
||||
If this is still the case, a simple workaround option is to create a symlink from gpg2 to gpg:
|
||||
|
||||
```
|
||||
$ ln -s /usr/local/bin/gpg /usr/local/bin/gpg2
|
||||
$ gpg2 --version
|
||||
gpg (GnuPG) 2.2.6
|
||||
[...]
|
||||
$
|
||||
```
|
||||
|
||||
If you find that this issue has been resolved, please remove this step :)
|
12
gitian.yml
12
gitian.yml
|
@ -3,12 +3,12 @@
|
|||
become: yes
|
||||
hosts: localhost:zcash-build
|
||||
vars:
|
||||
zcash_git_repo_url: https://github.com/zcash/zcash
|
||||
zcash_version: v1.0.8-1
|
||||
gpg_key_name: ''
|
||||
git_name: ''
|
||||
git_email: ''
|
||||
gpg_key_id: ''
|
||||
zcash_git_repo_url: "{{ lookup('env','ZCASH_GIT_REPO_URL') }}"
|
||||
zcash_version: "{{ lookup('env','ZCASH_VERSION') }}"
|
||||
git_name: "{{ lookup('env','GIT_NAME') }}"
|
||||
git_email: "{{ lookup('env','GIT_EMAIL') }}"
|
||||
gpg_key_name: "{{ lookup('env','GPG_KEY_NAME') }}"
|
||||
gpg_key_id: "{{ lookup('env','GPG_KEY_ID') }}"
|
||||
roles:
|
||||
- role: common
|
||||
tags: common
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
local/
|
||||
======
|
||||
|
||||
This directory is intended for content that is local to your work area, and
|
||||
not intended to be tracked by version control.
|
||||
|
||||
This file is here to make git track the existence of this directory (git doesn't
|
||||
track empty directories).
|
|
@ -0,0 +1,17 @@
|
|||
# Primary Dependencies
|
||||
# (Packages we actually decided to include)
|
||||
ansible==2.7.9
|
||||
# Secondary Dependencies
|
||||
# (pulled in by one or more of the above dependencies)
|
||||
asn1crypto==0.24.0
|
||||
bcrypt==3.1.6
|
||||
cffi==1.12.2
|
||||
cryptography==2.6.1
|
||||
Jinja2==2.10
|
||||
MarkupSafe==1.1.1
|
||||
paramiko==2.4.2
|
||||
pyasn1==0.4.5
|
||||
pycparser==2.19
|
||||
PyNaCl==1.3.0
|
||||
PyYAML==5.1
|
||||
six==1.12.0
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: Check that the secret key exists.
|
||||
local_action: "shell gpg2 --list-secret-keys --with-colons | grep {{ gpg_key_id }}"
|
||||
local_action: "shell gpg --list-secret-keys --with-colons | grep {{ gpg_key_id }}"
|
||||
become: no
|
||||
ignore_errors: true
|
||||
register: gpg_list_keys_result
|
||||
|
||||
- name: Export the GPG private key from the local keyring.
|
||||
local_action: "command gpg2 --armor --export-secret-key {{ gpg_key_id }}"
|
||||
local_action: "command gpg --armor --export-secret-key {{ gpg_key_id }}"
|
||||
become: no
|
||||
register: gpg_private_key
|
||||
changed_when: false
|
||||
|
@ -40,7 +40,7 @@
|
|||
group: "{{ gitian_user }}"
|
||||
|
||||
- name: Import the GPG private key to the Vagrant user.
|
||||
command: "gpg2 --import /tmp/{{ gpg_key_id }}.sec"
|
||||
command: "gpg --import /tmp/{{ gpg_key_id }}.sec"
|
||||
become_user: "{{ gitian_user }}"
|
||||
when: gpg_list_keys_result.stdout != '' and gpg_private_key.stdout is defined
|
||||
no_log: True
|
||||
|
|
|
@ -19,7 +19,7 @@ proc=2
|
|||
mem=3584
|
||||
lxc=true
|
||||
scriptName=$(basename -- "$0")
|
||||
signProg="gpg2 --detach-sign"
|
||||
signProg="gpg --detach-sign"
|
||||
commitFiles=true
|
||||
|
||||
# Help Message
|
||||
|
|
|
@ -21,7 +21,6 @@ if [ -d "$HOME/bin" ] ; then
|
|||
PATH="$HOME/bin:$PATH"
|
||||
fi
|
||||
|
||||
alias gpg='gpg2'
|
||||
export DISTRO=debian
|
||||
export SUITE=jessie
|
||||
export ARCH=amd64
|
||||
|
|
Loading…
Reference in New Issue