diff options
-rw-r--r-- | posts/signify-cgit.md | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/posts/signify-cgit.md b/posts/signify-cgit.md index ceea88c..28a41f7 100644 --- a/posts/signify-cgit.md +++ b/posts/signify-cgit.md @@ -98,7 +98,7 @@ project title and tag, so to make sure that we get a sane[^3] tarball, we have t pass the right prefix -- just as cgit does: ``` -$ git archive --prefix=project-1.0.0/ -o project-1.0.0.tar.gz -- 1.0.0 +$ git archive --prefix=quarg-0.1.2/ -o quarg-0.1.2.tar.gz -- 0.1.2 ``` The resulting file should be exactly what you get when you download a snapshot @@ -125,42 +125,42 @@ Since signify expects BSD-style checksums from OpenBSD's [`sha256sum(1)`](https://manpages.debian.org/buster/coreutils/sha256sum.1.en.html): ``` -$ sha256sum --tag project-1.0.0.tar.gz > project-1.0.0.tar.gz.SHA256 +$ sha256sum --tag quarg-0.1.2.tar.gz > quarg-0.1.2.tar.gz.SHA256 ``` Finally, the following invocation of signify cryptographically signs the checksum file using our secret key and writes the signature to -`project-1.0.0.tar.gz.SHA256.sig`: +`quarg-0.1.2.tar.gz.SHA256.sig`: ``` -$ signify -Ses release.sec -m project-1.0.0.tar.gz.SHA256 +$ signify -Ses release.sec -m quarg-0.1.2.tar.gz.SHA256 ``` ## Final assembly Now all that is left is to store the signature in Git's object database using [`git-hash-object(1)`](https://git-scm.com/docs/git-hash-object) and tell -`git-notes(1)` to link that blob to the `1.0.0` release tag: +`git-notes(1)` to link that blob to the `0.1.2` release tag: ``` -$ git notes --ref=signatures/tar.gz add -C "$(git hash-object -w project-1.0.0.tar.gz.SHA256.sig)" 1.0.0 +$ git notes --ref=signatures/tar.gz add -C "$(git hash-object -w quarg-0.1.2.tar.gz.SHA256.sig)" 0.1.2 ``` Let's take a look at the signature we just stored: ``` -$ git notes --ref=signatures/tar.gz show 1.0.0 +$ git notes --ref=signatures/tar.gz show 0.1.2 untrusted comment: verify with release.pub -RWRyR8jRAxhmZ/xwxq1/oPEJ1BUZa+sYj/UKP+px+KdkT/fHrHYSXCoHmoCKqCpy3Iv2hekCyK/36fi30Leti53J+QVvkGeT2Qc= -SHA256 (project-1.0.0.tar.gz) = 2fdc6078b432dbc513fc9f21cd90d87e9458e7c4fea9507d58b4560a00e0399c +RWRyR8jRAxhmZ8C5e7Vxkaed4Tg5Po+Qg4J+0LvjfRRfzch1MqUL8nzkrtGEB8fLG1+DwRYkzYdcZ7qjcYSPx048lTSVpqjSAAc= +SHA256 (quarg-0.1.2.tar.gz) = 1b6610c2417f36b5b1df5208c3c641b8b2ac3283dae87f453801cdc8c4ffb80a ``` Looks good. Let's verify it before publishing: ``` -$ git notes --ref=signatures/tar.gz show 1.0.0 | signify -Cp release.pub -x - +$ git notes --ref=signatures/tar.gz show 0.1.2 | signify -Cp release.pub -x - Signature Verified -project-1.0.0.tar.gz: OK +quarg-0.1.2.tar.gz: OK ``` Great, this is ready to be published. Git will not include `refs/notes/*` by |