doc: document the procedure for verifying releases
Refs: https://github.com/libuv/libuv/issues/409
This commit is contained in:
Saúl Ibarra Corretgé
parent
fbd61f6284
commit
dbca917bad
36
MAINTAINERS.md
Normal file
36
MAINTAINERS.md
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
|
||||||
|
# Project Maintainers
|
||||||
|
|
||||||
|
libuv is currently managed by the following individuals:
|
||||||
|
|
||||||
|
* **Ben Noordhuis** ([@bnoordhuis](https://github.com/bnoordhuis))
|
||||||
|
- GPG key: 46AB89B9 (pubkey-bnoordhuis)
|
||||||
|
* **Bert Belder** ([@piscisaureus](https://github.com/piscisaureus))
|
||||||
|
* **Fedor Indutny** ([@indutny](https://github.com/indutny))
|
||||||
|
- GPG key: 19B7E890 (pubkey-indutny)
|
||||||
|
* **Saúl Ibarra Corretgé** ([@saghul](https://github.com/saghul))
|
||||||
|
- GPG key: AE9BC059 (pubkey-saghul)
|
||||||
|
|
||||||
|
## Storing a maintainer key in Git
|
||||||
|
|
||||||
|
It's quite handy to store a maintainer's signature as a git blob, and have
|
||||||
|
that object tagged and signed with such key.
|
||||||
|
|
||||||
|
Export your public key:
|
||||||
|
|
||||||
|
$ gpg --armor --export saghul@gmail.com > saghul.asc
|
||||||
|
|
||||||
|
Store it as a blob on the repo:
|
||||||
|
|
||||||
|
$ git hash-object -w saghul.asc
|
||||||
|
|
||||||
|
The previous command returns a hash, copy it. For the sake of this explanation,
|
||||||
|
we'll assume it's 'abcd1234'. Storing the blob in git is not enough, it could
|
||||||
|
be garbage collected since nothing references it, so we'll create a tag for it:
|
||||||
|
|
||||||
|
$ git tag -s pubkey-saghul abcd1234
|
||||||
|
|
||||||
|
Commit the changes and push:
|
||||||
|
|
||||||
|
$ git push origin pubkey-saghul
|
||||||
|
|
||||||
33
README.md
33
README.md
@ -89,6 +89,39 @@ also serve as API specification and usage examples.
|
|||||||
These resources are not handled by libuv maintainers and might be out of
|
These resources are not handled by libuv maintainers and might be out of
|
||||||
date. Please verify it before opening new issues.
|
date. Please verify it before opening new issues.
|
||||||
|
|
||||||
|
## Downloading
|
||||||
|
|
||||||
|
libuv can be downloaded either from the
|
||||||
|
[GitHub repository](https://github.com/libuv/libuv)
|
||||||
|
or from the [downloads site](http://dist.libuv.org/dist/).
|
||||||
|
|
||||||
|
Before verifying the git tags or signature files, importing the relevant keys
|
||||||
|
is necessary. Key IDs are listed in the
|
||||||
|
[MAINTAINERS](https://github.com/libuv/libuv/blob/master/MAINTAINERS.md)
|
||||||
|
file, but are also available as git blob objects for easier use.
|
||||||
|
|
||||||
|
Importing a key the usual way:
|
||||||
|
|
||||||
|
$ gpg --keyserver pool.sks-keyservers.net \
|
||||||
|
--recv-keys AE9BC059
|
||||||
|
|
||||||
|
Importing a key from a git blob object:
|
||||||
|
|
||||||
|
$ git show pubkey-saghul | gpg --import
|
||||||
|
|
||||||
|
### Verifying releases
|
||||||
|
|
||||||
|
Git tags are signed with the developer's key, they can be verified as follows:
|
||||||
|
|
||||||
|
$ git verify-tag v1.6.1
|
||||||
|
|
||||||
|
Starting with libuv 1.7.0, the tarballs stored in the
|
||||||
|
[downloads site](http://dist.libuv.org/dist/) are signed and an accomanying
|
||||||
|
signature file sit alongside each. Once both the release tarball and the
|
||||||
|
signature file are downloaded, the file can be verified as follows:
|
||||||
|
|
||||||
|
$ gpg --verify libuv-1.7.0.tar.gz.sign
|
||||||
|
|
||||||
## Build Instructions
|
## Build Instructions
|
||||||
|
|
||||||
For GCC there are two build methods: via autotools or via [GYP][].
|
For GCC there are two build methods: via autotools or via [GYP][].
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user