Merge pull request #38 from rootulp/rp/sign-binary

Rp/sign binary

.github/workflows/ci-release.yml

@@ -71,11 +71,19 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: 1.21.1
-      # Generate the binaries and release
-      - uses: goreleaser/goreleaser-action@v5
+      # Import the GPG key from Github secrets to sign the binaries
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      # Generate the binaries, release, and sign the checksum
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}

.goreleaser.yaml

@@ -47,6 +47,18 @@ archives:
       {{- if .Arm }}v{{ .Arm }}{{ end }}
 checksum:
   name_template: "checksums.txt"
+signs:
+  - artifacts: checksum
+    args:
+      [
+        "--batch",
+        "-u",
+        "{{ .Env.GPG_FINGERPRINT }}",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog:

README.md

@@ -36,6 +36,8 @@ node            |  |                               |  |
 
 ## Install
 
+### Source
+
 1. [Install Go](https://go.dev/doc/install) 1.21.1
 1. Clone this repo
 1. Install the celestia-app CLI
@@ -44,6 +46,57 @@ node            |  |                               |  |
     make install
     ```
 
+### Pre-built binary
+
+If you'd rather not install from source, you can download a pre-built binary from the [releases](https://github.com/celestiaorg/celestia-app/releases) page.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Extract the archive
+
+    ```shell
+    tar -xvf celestia-app_Linux_x86_64.tar.gz
+    ```
+
+1. Verify the extracted binary works
+
+    ```shell
+    ./celestia-appd --help
+    ```
+
+#### Optional: Verify the pre-built binary checksums and signatures
+
+If you use a pre-built binary, you may also want to verify the checksums and signatures.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download `checksums.txt`, `checksums.txt.sig`, and the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Verify the checksums
+
+    ```shell
+    sha256sum --ignore-missing --check checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    celestia-app_Linux_x86_64.tar.gz: OK
+    ```
+
+1. Download the [verify-signature.sh](./scripts/signing/verify-signature.sh) script.
+1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script
+
+    ```shell
+    ./verify-signature.sh checksums.txt.sig checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    gpg: Signature made Thu Sep 21 14:39:26 2023 EDT
+    gpg:                using EDDSA key BF02F32CC36864560B90B764D469F859693DC3FA
+    gpg: Good signature from "celestia-app-maintainers <[email protected]>" [ultimate]
+    ```
+
 ### Ledger Support
 
 Ledger is not supported on Windows and OpenBSD.
@@ -115,33 +168,6 @@ make proto-gen
 make goreleaser-build
 ```
 
-### Publishing a Release
-
-> **NOTE** Due to `goreleaser`'s CGO limitations, cross-compiling the binary does not work. So the binaries must be built on the target platform. This means that the release process must be done on a Linux amd64 machine.
-
-To generate the binaries for the Github release, you can run the following command:
-
-```sh
-make goreleaser-release
-```
-
-This will generate the binaries as defined in `.goreleaser.yaml` and put them in `build/goreleaser` like so:
-
-```sh
-build
-└── goreleaser
-    ├── CHANGELOG.md
-    ├── artifacts.json
-    ├── celestia-app_Linux_x86_64.tar.gz
-    ├── celestia-app_linux_amd64_v1
-    │   └── celestia-appd
-    ├── checksums.txt
-    ├── config.yaml
-    └── metadata.json
-```
-
-For the Github release, you just need to upload the `checksums.txt` and `celestia-app_Linux_x86_64.tar.gz` files.
-
 ### Docs
 
 Package-specific READMEs aim to explain implementation details for developers that are contributing to these packages. The [specs](https://celestiaorg.github.io/celestia-app/) aim to explain the protocol as a whole for developers building on top of Celestia.

scripts/signing/celestia-app-maintainers.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZQyVAhYJKwYBBAHaRw8BAQdArnTc9Gu1/koOMkR7/t9HESJN8k1ee0/YBxI/
+9bk3PBW0QGNlbGVzdGlhLWFwcC1tYWludGFpbmVycyA8Y2VsZXN0aWEtYXBwLW1h
+aW50YWluZXJzQGNlbGVzdGlhLm9yZz6IkwQTFgoAOxYhBL8C8yzDaGRWC5C3ZNRp
++FlpPcP6BQJlDJUCAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENRp
++FlpPcP6sZcBAKpPSeEHPlIsKn7lAOlfV0n9kXQYnL3xxdq9/ytFB5dUAP0S//wt
+EycGLLn1Wytp06o9tFyRHw+fmQBXaNFPSsc4B7g4BGUMlQISCisGAQQBl1UBBQEB
+B0CpJl7Leh7INkGvlq3QclvXRb3TB6P28tDMXk2mPhgYFAMBCAeIeAQYFgoAIBYh
+BL8C8yzDaGRWC5C3ZNRp+FlpPcP6BQJlDJUCAhsMAAoJENRp+FlpPcP6HQgBAMC3
+QoXupYfpmiJGGnxlCcK5iyYpZLe8EWpWq39t0vRlAP4hgvO8A4c0TNZaVkvLq62P
+eLp2+KNYB2PhA91X8BL8Bg==
+=311S
+-----END PGP PUBLIC KEY BLOCK-----

scripts/signing/verify-signature.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# This script enables consumers to verify signatures on artifacts.
+
+# Check if the number of arguments is not 2
+if [[ $# -ne 2 ]]; then
+    echo "Error: Exactly two arguments are required."
+    echo "Example usage:"
+    echo "  ./verify-signature.sh <signature-file> <file-to-verify>"
+    exit 1
+fi
+
+# PGP Key
+# celestia-app-maintainers <[email protected]>
+# BF02F32CC36864560B90B764D469F859693DC3FA
+echo "Importing the celestia-app-maintainers public key..."
+gpg --keyserver keys.openpgp.org --recv-keys BF02F32CC36864560B90B764D469F859693DC3FA
+
+echo "Verifying the signature of "$1" with "$2""
+gpg --verify $1 $2