foster/bitcoin-bitcoin-core
0
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-08 10:31:50 -05:00
Code Issues Activity

doc: update release-process.md

Browse source
This commit is contained in:
gruve-p 2022-03-16 22:26:24 +01:00 committed by gruve-p
parent d6cb4e8ff0
commit ac45a43d89
No known key found for this signature in database
GPG key ID: D11BD4F33F1DB499
1 changed files with 24 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
doc/release-process.md
View file

@ -110,28 +110,24 @@ against other `guix-attest` signatures.
git -C ./guix.sigs pull
```
### Create the macOS SDK tarball: (first time, or when SDK version changes)
### Create the macOS SDK tarball (first time, or when SDK version changes)
Create the macOS SDK tarball, see the [macdeploy
instructions](/contrib/macdeploy/README.md#deterministic-macos-dmg-notes) for
details.
### Build and attest to build outputs:
### Build and attest to build outputs
Follow the relevant Guix README.md sections:
- [Building](/contrib/guix/README.md#building)
- [Attesting to build outputs](/contrib/guix/README.md#attesting-to-build-outputs)
### Verify other builders' signatures to your own. (Optional)
### Verify other builders' signatures to your own (optional)
Add other builders keys to your gpg keyring, and/or refresh keys: See `../bitcoin/contrib/builder-keys/README.md`.
Follow the relevant Guix README.md sections:
- [Add other builders keys to your gpg keyring, and/or refresh keys](/contrib/builder-keys/README.md)
- [Verifying build output attestations](/contrib/guix/README.md#verifying-build-output-attestations)
### Next steps:
Commit your signature to guix.sigs:
### Commit your non codesigned signature to guix.sigs
```sh
pushd ./guix.sigs
@ -141,29 +137,27 @@ git push # Assuming you can push to the guix.sigs tree
popd
```
Codesigner only: Create Windows/macOS detached signatures:
- Only one person handles codesigning. Everyone else should skip to the next step.
- Only once the Windows/macOS builds each have 3 matching signatures may they be signed with their respective release keys.
## Codesigning
Codesigner only: Sign the macOS binary:
### macOS codesigner only: Create detached macOS signatures (assuming [signapple](https://github.com/achow101/signapple/) is installed and up to date with master branch)
transfer bitcoin-osx-unsigned.tar.gz to macOS for signing
tar xf bitcoin-osx-unsigned.tar.gz
./detached-sig-create.sh -s "Key ID"
./detached-sig-create.sh /path/to/codesign.p12
Enter the keychain password and authorize the signature
Move signature-osx.tar.gz back to the guix-build host
signature-osx.tar.gz will be created
Codesigner only: Sign the windows binaries:
### Windows codesigner only: Create detached Windows signatures
tar xf bitcoin-win-unsigned.tar.gz
./detached-sig-create.sh -key /path/to/codesign.key
Enter the passphrase for the key when prompted
signature-win.tar.gz will be created
Code-signer only: It is advised to test that the code signature attaches properly prior to tagging by performing the `guix-codesign` step.
### Windows and macOS codesigners only: test code signatures
It is advised to test that the code signature attaches properly prior to tagging by performing the `guix-codesign` step.
However if this is done, once the release has been tagged in the bitcoin-detached-sigs repo, the `guix-codesign` step must be performed again in order for the guix attestation to be valid when compared against the attestations of non-codesigner builds.
Codesigner only: Commit the detached codesign payloads:
### Windows and macOS codesigners only: Commit the detached codesign payloads
```sh
pushd ./bitcoin-detached-sigs
@ -178,16 +172,21 @@ git push the current branch and new tag
popd
```
Non-codesigners: wait for Windows/macOS detached signatures:
### Non-codesigners: wait for Windows and macOS detached signatures
- Once the Windows/macOS builds each have 3 matching signatures, they will be signed with their respective release keys.
- Once the Windows and macOS builds each have 3 matching signatures, they will be signed with their respective release keys.
- Detached signatures will then be committed to the [bitcoin-detached-sigs](https://github.com/bitcoin-core/bitcoin-detached-sigs) repository, which can be combined with the unsigned apps to create signed binaries.
Create (and optionally verify) the codesigned outputs:
### Create the codesigned build outputs
- [Codesigning](/contrib/guix/README.md#codesigning)
- [Codesigning build outputs](/contrib/guix/README.md#codesigning-build-outputs)
Commit your signature for the signed macOS/Windows binaries:
### Verify other builders' signatures to your own (optional)
- [Add other builders keys to your gpg keyring, and/or refresh keys](/contrib/builder-keys/README.md)
- [Verifying build output attestations](/contrib/guix/README.md#verifying-build-output-attestations)
### Commit your codesigned signature to guix.sigs (for the signed macOS/Windows binaries)
```sh
pushd ./guix.sigs
@ -197,7 +196,7 @@ git push # Assuming you can push to the guix.sigs tree
popd
```
### After 3 or more people have guix-built and their results match:
## After 3 or more people have guix-built and their results match
Combine the `all.SHA256SUMS.asc` file from all signers into `SHA256SUMS.asc`: