release: cargo-binstall v1.4.0 #1399
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a release PR for cargo-binstall version 1.4.0 (performing a minor bump).
Use squash merge.
Upon merging, this will automatically create the tag
v1.4.0, build the CLI,create a GitHub release with the release notes below
, and CI will publish to crates.io on merge of this PR.
To trigger builds initially, close and then immediately re-open this PR once.
Edit release notes into the section below:
Release notes
Binstall is a tool to fetch and install Rust-based executables as binaries. It aims to be a drop-in replacement for
cargo installin most cases. Install it today withcargo install cargo-binstall, from the binaries below, or if you already have it, upgrade withcargo binstall cargo-binstall.In this release:
Initial support for verifying package signatures! (Support package signing and verification #1 Initial signing support #1345 Check quickinstall signatures #1382 Doc: Provide solutions for common problems encountered during signing #1383)
After a lot of discussions, we now support verifying signatures for downloaded files. This release has support for a single algorithm, minisign. We expect to implement more later, and would warmly welcome contributions in this regard.
With this comes two new options:
--only-signedwill refuse to install non-signed packages, and--skip-signaturesdisables the functionality entirely (for testing only!).Adding signature support for your package as a first party requires adding to your Cargo.toml: we don't perform auto-detection of signature schemes at this juncture. Documentation and a guide is available in SIGNING.md.
The 3rd-party quick-install repository of packages (part of the cargo-bins umbrella organisation) has already implemented signing; if you only want first-party signed packages you should add
--disable-strategies quick-install.Binstall's releases are now signed. (Sign our releases #1347 Revert "release: cargo-binstall v1.4.0" and fix #1398 Fix release build again #1400)
We use a just-in-time ephemeral key or "keyless" setup which generates a brand new signing key for every release.
You can find the public key for each release in a number of places:
minisign.pubfile in the packaged source crate (from crates.io)minisign.pubfile in the downloads belowminisign.pubfile in the.full.variants of the packages belowOf course, Binstall ^1.4.1 is able to verify its own signature:
cargo binstall -y --only-signed cargo-binstallOther changes:
cargo-toml-workspacecrate is now independent from binstalk crates (Refactorcargo-toml-workspace: Rm dep onbinstalk-types#1386)detect-targetson ubuntu 20.04, glibc 2.31 #1379)