diff options
| author | Cory Fields <cory-nospam-@coryfields.com> | 2015-06-18 18:17:36 -0400 |
|---|---|---|
| committer | Cory Fields <cory-nospam-@coryfields.com> | 2015-06-18 18:17:36 -0400 |
| commit | d08cfc2bd752fdb1e8547f957f1c38275540df7a (patch) | |
| tree | 53f0ad6cdc0fe43809627b4d8d6250a108e4e770 /doc/release-process.md | |
| parent | 40400d53d3a0f5a11907fba610adabbe0975c9db (diff) | |
| download | bitcoin-d08cfc2bd752fdb1e8547f957f1c38275540df7a.tar.xz | |
gitian: add a gitian-win-signer descriptor
This is exactly like the current OSX signing process.
osslsigncode has been patched to detach and re-attach Windows signatures.
The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature
There's a pull-request open upstream for the changes:
https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/
This work has been back-ported to the stable 1.7.1 release of osslsigncode, so
that a smaller patch can be reviewed.
Diffstat (limited to 'doc/release-process.md')
| -rw-r--r-- | doc/release-process.md | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/doc/release-process.md b/doc/release-process.md index 45c44640ca..07005bfbb9 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -41,6 +41,8 @@ Release Process ###fetch and build inputs: (first time, or when dependency versions change) mkdir -p inputs + wget -P inputs https://bitcoincore.org/cfields/osslsigncode-Backports-to-1.7.1.patch + wget -P inputs http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz Register and download the Apple SDK: (see OSX Readme for details) @@ -65,7 +67,9 @@ Release Process mv build/out/bitcoin-*.tar.gz build/out/src/bitcoin-*.tar.gz ../ ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win.yml ./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml - mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../ + mv build/out/bitcoin-*.zip ../ + mv build/out/bitcoin-*-win64-setup.exe inputs/bitcoin-win64-setup.exe + mv build/out/bitcoin-*-win32-setup.exe inputs/bitcoin-win32-setup.exe ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml mv build/out/bitcoin-*-unsigned.tar.gz inputs/bitcoin-osx-unsigned.tar.gz @@ -75,7 +79,7 @@ Release Process 1. source tarball (bitcoin-${VERSION}.tar.gz) 2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz) - 3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip) + 3. windows 32-bit and 64-bit unsigned installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip) 4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg) 5. Gitian signatures (in gitian.sigs/${VERSION}-<linux|win|osx-unsigned>/(your gitian key)/ @@ -91,9 +95,9 @@ Commit your signature to gitian.sigs: git push # Assuming you can push to the gitian.sigs tree popd - Wait for OSX detached signature: - Once the OSX build has 3 matching signatures, it will be signed with the Apple App-Store key. - A detached signature will then be committed to the bitcoin-detached-sigs repository, which can be combined with the unsigned app to create a signed binary. + Wait for Windows/OSX detached signatures: + Once the Windows/OSX builds each have 3 matching signatures, they will be signed with their respective release keys. + Detached signatures will then be committed to the bitcoin-detached-sigs repository, which can be combined with the unsigned apps to create signed binaries. Create the signed OSX binary: @@ -103,10 +107,20 @@ Commit your signature to gitian.sigs: mv build/out/bitcoin-osx-signed.dmg ../bitcoin-${VERSION}-osx.dmg popd -Commit your signature for the signed OSX binary: + Create the signed Windows binaries: + + pushd ./gitian-builder + ./bin/gbuild -i --commit signature=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml + ./bin/gsign --signer $SIGNER --release ${VERSION}-win-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml + mv build/out/bitcoin-win64-setup-signed.exe ../bitcoin-${VERSION}-win64-setup.exe + mv build/out/bitcoin-win32-setup-signed.exe ../bitcoin-${VERSION}-win32-setup.exe + popd + +Commit your signature for the signed OSX/Windows binaries: pushd gitian.sigs git add ${VERSION}-osx-signed/${SIGNER} + git add ${VERSION}-win-signed/${SIGNER} git commit -a git push # Assuming you can push to the gitian.sigs tree popd @@ -115,12 +129,6 @@ Commit your signature for the signed OSX binary: ### After 3 or more people have gitian-built and their results match: -- Perform code-signing. - - - Code-sign Windows -setup.exe (in a Windows virtual machine using signtool) - - Note: only Gavin has the code-signing keys currently. - - Create `SHA256SUMS.asc` for the builds, and GPG-sign it: ```bash sha256sum * > SHA256SUMS |