bitcoin-abc icon indicating copy to clipboard operation
bitcoin-abc copied to clipboard

Published 20 hours ago verified publisher icon Bitcoin-ABC

Will there be signed SHA256 for binary releases?

Open greatwolf opened this issue 8 years ago • 5 comments
trafficstars

A cursory glance of bitcoinabc.org's download section doesn't seem to have it. The closest thing resembling it are the release yaml files minus the signatures.

greatwolf avatar Aug 01 '17 19:08 greatwolf

If suggested to include these in these download folder in the past, but I suspect we need some project discussion on whether and how to facilitate this for more gitian builders.

Until then, I've taken to publishing my signed checksums for ABC releases through blog posts at https://ftrader.github.io/tags/ABC.html . Other builders may be publishing theirs in other places currently.

ftrader avatar Aug 02 '17 19:08 ftrader

+1 on this.

Signed releases and signed git commits would improve the confidence and perceived legitimacy of this project. Core has done pretty well in this regard. Bitcoin ABC should do the same.

Even if you do not have a plan for who should be performing and signing gitian builds, you can still sign your git commits. https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

gabegattis avatar Sep 26 '17 14:09 gabegattis

From the other thread:

@jjasonbcox: we'll need to rely on devs publishing their signatures themselves (which is far from ideal).

Even without a place for Gitian signatures, each commit could be signed right now from every dev. GitHub has a nice way to show, whether commits are signed:

image

For pull requests, there is a script right there in the project:

https://github.com/Bitcoin-ABC/bitcoin-abc/tree/master/contrib/devtools#github-mergepy

dexX7 avatar Jun 19 '18 10:06 dexX7

@jasonbcox In the other issue, you mentioned a "proper signing infrastructure". What do you mean by that?

Commit signing is important for individual developers. Without signatures, developers have to trust Github and TLS to deliver code to the users unmolested. Git can do this automatically.

Bitcoin Core has a simple repo for storing gitian sigs. It gets the job done fine. https://github.com/bitcoin-core/gitian.sigs

Don't let perfect be the enemy of good enough.

gabegattis avatar Jun 19 '18 15:06 gabegattis

The signing infra cannot be simply plopped into place and work as-is. Someone needs to hook everything up for ABC. If the solution is something akin to what Core has done, that is fine. But someone still has to do the work.

jasonbcox avatar Jun 19 '18 16:06 jasonbcox