Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update release notes template re timestamps #1237

Merged
merged 1 commit into from
Dec 10, 2024
Merged

Update release notes template re timestamps #1237

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
run: |
expected_tag=$(./scripts/get-git-tag-name.sh version.go)
actual_tag=${{ env.RELEASE_VERSION }}

if [ "$actual_tag" = "$expected_tag" ]; then
echo "Git tag release string is as expected."
else
Expand Down Expand Up @@ -87,14 +87,17 @@ jobs:

## Verifying the Release Timestamp

From this new version onwards, in addition time-stamping the _git tag_ with [OpenTimestamps](https://opentimestamps.org/), we'll also now timestamp the manifest file along with its signature. Two new files are now included along with the rest of our release artifacts: ` manifest-roasbeef-${{ env.RELEASE_VERSION }}.txt.asc.ots`.
In addition to time-stamping the _git tag_ with [OpenTimestamps](https://opentimestamps.org/), we also timestamp the manifest file along with its signature. Two files are included in our release artifacts: `manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig.ots` and `manifest-${{ env.RELEASE_VERSION }}.txt.ots`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we actually do that today though? Or is the idea that we start doing it for future releases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I understood from @Roasbeef he actually does this, since he uses the wrapper and consequently tags created by him are timestamped automatically.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I always do this manually once I sign.


Assuming you have the opentimestamps client installed locally, the timestamps can be verified with the following commands:
```
ots verify manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig.ots -f manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig
ots verify manifest-${{ env.RELEASE_VERSION }}.txt.ots -f manifest-${{ env.RELEASE_VERSION }}.txt
```

Alternatively, [the OpenTimestamps website](https://opentimestamps.org/) can be used to verify timestamps if one doesn't have a `bitcoind` instance accessible locally.
Alternatively, [the OpenTimestamps website](https://opentimestamps.org/) can be used to verify these timestamps if one doesn't have a `bitcoind` instance accessible locally.

Assuming you are using the [OpenTimestamps `ots-git-gpg-wrapper`](https://github.com/opentimestamps/opentimestamps-client/blob/master/doc/git-integration.md#usage) you can verify the timestamp of the _git tag_ by verifying the tag as explained in _Verifying the Release Binaries_.

These timestamps should give users confidence in the integrity of this release even after the key that signed the release expires.

Expand Down
Loading