From 934fdeda062229f5c150e9dce74f05b0557ea123 Mon Sep 17 00:00:00 2001 From: Rootul P Date: Mon, 9 Oct 2023 10:04:57 -0400 Subject: [PATCH] feat: sign pre-built binary with GPG key (#2568) Closes https://github.com/celestiaorg/celestia-app/issues/2445 ## Testing 1. On my fork, I pushed the contents of this PR to main and then created https://github.com/rootulp/celestia-app/releases/tag/v1.0.0-rc4. 2. Verified that the checksum is correct ```shell $ sha256sum --ignore-missing --check checksums.txt celestia-app_Linux_x86_64.tar.gz: OK ``` 3. Verified that the signature is correct ```shell $ ./verify-signatures.sh checksums.txt.sig checksums.txt Importing the celestia-app-maintainers public key... gpg: key D469F859693DC3FA: no user ID gpg: Total number processed: 1 Verifying the signature of checksums.txt.sig with checksums.txt gpg: Signature made Fri Oct 6 16:19:01 2023 EDT gpg: using EDDSA key ACF99399A35311E95B2432072B987E2A363550BE gpg: Good signature from "rootulp-test-goreleaser " [ultimate] ``` Note: the GPG key used to sign for celestiaorg/celestia-app will have a different ID / email address from the one here ^ --------- Co-authored-by: Matthew Sevey --- .github/workflows/ci-release.yml | 12 ++- .goreleaser.yaml | 12 +++ README.md | 80 +++++++++++++------- scripts/signing/celestia-app-maintainers.asc | 14 ++++ scripts/signing/verify-signature.sh | 20 +++++ 5 files changed, 109 insertions(+), 29 deletions(-) create mode 100644 scripts/signing/celestia-app-maintainers.asc create mode 100755 scripts/signing/verify-signature.sh diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 0c3e6d3c30..5f8257a73d 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -71,11 +71,19 @@ jobs: - uses: actions/setup-go@v4 with: go-version: 1.21.1 - # Generate the binaries and release - - uses: goreleaser/goreleaser-action@v5 + # Import the GPG key from Github secrets to sign the binaries + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v4 + with: + gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + # Generate the binaries, release, and sign the checksum + - uses: goreleaser/goreleaser-action@v4 with: distribution: goreleaser version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index d7944730fc..5d9ba2625a 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -47,6 +47,18 @@ archives: {{- if .Arm }}v{{ .Arm }}{{ end }} checksum: name_template: "checksums.txt" +signs: + - artifacts: checksum + args: + [ + "--batch", + "-u", + "{{ .Env.GPG_FINGERPRINT }}", + "--output", + "${signature}", + "--detach-sign", + "${artifact}", + ] snapshot: name_template: "{{ incpatch .Version }}-next" changelog: diff --git a/README.md b/README.md index 9224f00568..5a71f78ebc 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,8 @@ node | | | | ## Install +### Source + 1. [Install Go](https://go.dev/doc/install) 1.21.1 1. Clone this repo 1. Install the celestia-app CLI @@ -44,6 +46,57 @@ node | | | | make install ``` +### Pre-built binary + +If you'd rather not install from source, you can download a pre-built binary from the [releases](https://github.com/celestiaorg/celestia-app/releases) page. + +1. Navigate to the latest release on . +1. Download the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section. +1. Extract the archive + + ```shell + tar -xvf celestia-app_Linux_x86_64.tar.gz + ``` + +1. Verify the extracted binary works + + ```shell + ./celestia-appd --help + ``` + +#### Optional: Verify the pre-built binary checksums and signatures + +If you use a pre-built binary, you may also want to verify the checksums and signatures. + +1. Navigate to the latest release on . +1. Download `checksums.txt`, `checksums.txt.sig`, and the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section. +1. Verify the checksums + + ```shell + sha256sum --ignore-missing --check checksums.txt + ``` + + You should see output like this: + + ```shell + celestia-app_Linux_x86_64.tar.gz: OK + ``` + +1. Download the [verify-signature.sh](./scripts/signing/verify-signature.sh) script. +1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script + + ```shell + ./verify-signature.sh checksums.txt.sig checksums.txt + ``` + + You should see output like this: + + ```shell + gpg: Signature made Thu Sep 21 14:39:26 2023 EDT + gpg: using EDDSA key BF02F32CC36864560B90B764D469F859693DC3FA + gpg: Good signature from "celestia-app-maintainers " [ultimate] + ``` + ### Ledger Support Ledger is not supported on Windows and OpenBSD. @@ -115,33 +168,6 @@ make proto-gen make goreleaser-build ``` -### Publishing a Release - -> **NOTE** Due to `goreleaser`'s CGO limitations, cross-compiling the binary does not work. So the binaries must be built on the target platform. This means that the release process must be done on a Linux amd64 machine. - -To generate the binaries for the Github release, you can run the following command: - -```sh -make goreleaser-release -``` - -This will generate the binaries as defined in `.goreleaser.yaml` and put them in `build/goreleaser` like so: - -```sh -build -└── goreleaser - ├── CHANGELOG.md - ├── artifacts.json - ├── celestia-app_Linux_x86_64.tar.gz - ├── celestia-app_linux_amd64_v1 - │ └── celestia-appd - ├── checksums.txt - ├── config.yaml - └── metadata.json -``` - -For the Github release, you just need to upload the `checksums.txt` and `celestia-app_Linux_x86_64.tar.gz` files. - ### Docs Package-specific READMEs aim to explain implementation details for developers that are contributing to these packages. The [specs](https://celestiaorg.github.io/celestia-app/) aim to explain the protocol as a whole for developers building on top of Celestia. diff --git a/scripts/signing/celestia-app-maintainers.asc b/scripts/signing/celestia-app-maintainers.asc new file mode 100644 index 0000000000..6c7142c38c --- /dev/null +++ b/scripts/signing/celestia-app-maintainers.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZQyVAhYJKwYBBAHaRw8BAQdArnTc9Gu1/koOMkR7/t9HESJN8k1ee0/YBxI/ +9bk3PBW0QGNlbGVzdGlhLWFwcC1tYWludGFpbmVycyA8Y2VsZXN0aWEtYXBwLW1h +aW50YWluZXJzQGNlbGVzdGlhLm9yZz6IkwQTFgoAOxYhBL8C8yzDaGRWC5C3ZNRp ++FlpPcP6BQJlDJUCAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENRp ++FlpPcP6sZcBAKpPSeEHPlIsKn7lAOlfV0n9kXQYnL3xxdq9/ytFB5dUAP0S//wt +EycGLLn1Wytp06o9tFyRHw+fmQBXaNFPSsc4B7g4BGUMlQISCisGAQQBl1UBBQEB +B0CpJl7Leh7INkGvlq3QclvXRb3TB6P28tDMXk2mPhgYFAMBCAeIeAQYFgoAIBYh +BL8C8yzDaGRWC5C3ZNRp+FlpPcP6BQJlDJUCAhsMAAoJENRp+FlpPcP6HQgBAMC3 +QoXupYfpmiJGGnxlCcK5iyYpZLe8EWpWq39t0vRlAP4hgvO8A4c0TNZaVkvLq62P +eLp2+KNYB2PhA91X8BL8Bg== +=311S +-----END PGP PUBLIC KEY BLOCK----- diff --git a/scripts/signing/verify-signature.sh b/scripts/signing/verify-signature.sh new file mode 100755 index 0000000000..a86c4b6ace --- /dev/null +++ b/scripts/signing/verify-signature.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# This script enables consumers to verify signatures on artifacts. + +# Check if the number of arguments is not 2 +if [[ $# -ne 2 ]]; then + echo "Error: Exactly two arguments are required." + echo "Example usage:" + echo " ./verify-signature.sh " + exit 1 +fi + +# PGP Key +# celestia-app-maintainers +# BF02F32CC36864560B90B764D469F859693DC3FA +echo "Importing the celestia-app-maintainers public key..." +gpg --keyserver keys.openpgp.org --recv-keys BF02F32CC36864560B90B764D469F859693DC3FA + +echo "Verifying the signature of "$1" with "$2"" +gpg --verify $1 $2