summaryrefslogtreecommitdiffstatshomepage
path: root/posts
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--posts/signify-cgit.md22
1 files changed, 11 insertions, 11 deletions
diff --git a/posts/signify-cgit.md b/posts/signify-cgit.md
index ceea88c..28a41f7 100644
--- a/posts/signify-cgit.md
+++ b/posts/signify-cgit.md
@@ -98,7 +98,7 @@ project title and tag, so to make sure that we get a sane[^3] tarball, we have t
pass the right prefix -- just as cgit does:
```
-$ git archive --prefix=project-1.0.0/ -o project-1.0.0.tar.gz -- 1.0.0
+$ git archive --prefix=quarg-0.1.2/ -o quarg-0.1.2.tar.gz -- 0.1.2
```
The resulting file should be exactly what you get when you download a snapshot
@@ -125,42 +125,42 @@ Since signify expects BSD-style checksums from OpenBSD's
[`sha256sum(1)`](https://manpages.debian.org/buster/coreutils/sha256sum.1.en.html):
```
-$ sha256sum --tag project-1.0.0.tar.gz > project-1.0.0.tar.gz.SHA256
+$ sha256sum --tag quarg-0.1.2.tar.gz > quarg-0.1.2.tar.gz.SHA256
```
Finally, the following invocation of signify cryptographically signs the
checksum file using our secret key and writes the signature to
-`project-1.0.0.tar.gz.SHA256.sig`:
+`quarg-0.1.2.tar.gz.SHA256.sig`:
```
-$ signify -Ses release.sec -m project-1.0.0.tar.gz.SHA256
+$ signify -Ses release.sec -m quarg-0.1.2.tar.gz.SHA256
```
## Final assembly
Now all that is left is to store the signature in Git's object database using
[`git-hash-object(1)`](https://git-scm.com/docs/git-hash-object) and tell
-`git-notes(1)` to link that blob to the `1.0.0` release tag:
+`git-notes(1)` to link that blob to the `0.1.2` release tag:
```
-$ git notes --ref=signatures/tar.gz add -C "$(git hash-object -w project-1.0.0.tar.gz.SHA256.sig)" 1.0.0
+$ git notes --ref=signatures/tar.gz add -C "$(git hash-object -w quarg-0.1.2.tar.gz.SHA256.sig)" 0.1.2
```
Let's take a look at the signature we just stored:
```
-$ git notes --ref=signatures/tar.gz show 1.0.0
+$ git notes --ref=signatures/tar.gz show 0.1.2
untrusted comment: verify with release.pub
-RWRyR8jRAxhmZ/xwxq1/oPEJ1BUZa+sYj/UKP+px+KdkT/fHrHYSXCoHmoCKqCpy3Iv2hekCyK/36fi30Leti53J+QVvkGeT2Qc=
-SHA256 (project-1.0.0.tar.gz) = 2fdc6078b432dbc513fc9f21cd90d87e9458e7c4fea9507d58b4560a00e0399c
+RWRyR8jRAxhmZ8C5e7Vxkaed4Tg5Po+Qg4J+0LvjfRRfzch1MqUL8nzkrtGEB8fLG1+DwRYkzYdcZ7qjcYSPx048lTSVpqjSAAc=
+SHA256 (quarg-0.1.2.tar.gz) = 1b6610c2417f36b5b1df5208c3c641b8b2ac3283dae87f453801cdc8c4ffb80a
```
Looks good. Let's verify it before publishing:
```
-$ git notes --ref=signatures/tar.gz show 1.0.0 | signify -Cp release.pub -x -
+$ git notes --ref=signatures/tar.gz show 0.1.2 | signify -Cp release.pub -x -
Signature Verified
-project-1.0.0.tar.gz: OK
+quarg-0.1.2.tar.gz: OK
```
Great, this is ready to be published. Git will not include `refs/notes/*` by