util, ci: Hard code previous release tarball checksums #19813

pull hebasto wants to merge 2 commits into bitcoin:master from hebasto:200826-gpg changing 6 files +41 −30
  1. hebasto commented at 12:09 PM on August 26, 2020: member

    #19205 introduced signature verifying for the downloaded SHA256SUMS.asc. This approach is brittle and does not work in CI environment for many reasons:

    This PR:

    • implements Sjors' idea:

    Alternatively we might as well hard code the checksum for each tar.gz release in the source code, here.

    • is an alternative to 5a2c31e528e6bd60635096f233252f3c717f366d (#19013)

    • fixes #19812

    • updates v0.17.1 to v0.17.2

  2. hebasto commented at 12:10 PM on August 26, 2020: member

    cc @bliotti @Sjors @MarcoFalke

  3. hebasto cross-referenced this on Aug 26, 2020 from issue script: previous_release.sh rewritten in python by bliotti
  4. DrahtBot added the label Scripts and tools on Aug 26, 2020
  5. DrahtBot commented at 9:27 PM on August 26, 2020: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #19245 ([WIP DONOTMERGE] Replace boost::filesystem with std::filesystem (in c++17) by kiminuo)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  6. DrahtBot cross-referenced this on Aug 27, 2020 from issue Replace boost::filesystem with std::filesystem by kiminuo
  7. practicalswift commented at 6:19 AM on August 27, 2020: contributor

    Concept ACK: this is better than than fetching the checksums from the same host as the binaries :)

  8. laanwj commented at 11:56 AM on August 27, 2020: member

    Does this need a mention in the release process?

  9. hebasto commented at 11:59 AM on August 27, 2020: member

    @laanwj

    Does this need a mention in the release process?

    Here https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#after-3-or-more-people-have-gitian-built-and-their-results-match ?

  10. MarcoFalke commented at 1:08 PM on August 27, 2020: member

    This is only used by tests to download binaries, so no docs need to change. Maybe this should be moved to ./test/download_previous_releases.py or so?

  11. hebasto commented at 1:29 PM on August 27, 2020: member

    Maybe this should be moved to ./test/download_previous_releases.py or so?

    Out from contrib/devtools/?

  12. theStack commented at 11:03 AM on August 28, 2020: contributor

    Concept ACK

  13. Sjors commented at 1:20 PM on August 28, 2020: member

    Concept ACK. Maybe put the shasums in a text file so they're easier for other tools to use?

  14. laanwj commented at 3:47 PM on August 28, 2020: member

    Here https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#after-3-or-more-people-have-gitian-built-and-their-results-match ?

    I'm aware of that. I meant to add the hashes to the Python script.

    Concept ACK. Maybe put the shasums in a text file so they're easier for other tools to use?

    -0 on this. I mean, the preferred way to validate downloaded binaries is still using GPG, and while I think this is a good shortcut to optimize CI, I'm not sure we should encourage its use in other tools.

  15. hebasto commented at 3:52 PM on August 28, 2020: member

    @laanwj

    Here https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md#after-3-or-more-people-have-gitian-built-and-their-results-match ?

    I'm aware of that. I meant to add the hashes to the Python script.

    Sorry. It seems I did not understand correctly your initial suggestion:

    Does this need a mention in the release process?

    Mind rewording?

  16. MarcoFalke commented at 4:02 PM on August 28, 2020: member

    The tests will need to be adjusted anyway to use the new binaries, so the hashes can be added then (if needed)

  17. laanwj commented at 4:02 PM on August 28, 2020: member

    No, it's okay, I agree with @MarcoFalke that that is not needed.

    This is only used by tests to download binaries, so no docs need to change.

  18. scripted-diff: Move previous_release.py to test/get_previous_releases.py
    -BEGIN VERIFY SCRIPT-
OLD=contrib/devtools/previous_release.py
NEW=test/get_previous_releases.py
sed -i "s|$OLD|$NEW|g" $(git grep -l $OLD)
git mv $OLD $NEW
-END VERIFY SCRIPT-
    bd897ce79f
  19. util: Hard code previous release tarball checksums 0374e821bd
  20. hebasto force-pushed on Aug 29, 2020
  21. hebasto commented at 8:34 AM on August 29, 2020: member

    Updated c5affe70902ccf6ced959c8424cf7f35a3e5e6e1 -> 0374e821bd9e9498ce9c03aa8e5435870019978b (pr19813.01 -> pr19813.02, diff).

    Addressed @MarcoFalke' comment:

    This is only used by tests to download binaries, so no docs need to change. Maybe this should be moved to ./test/download_previous_releases.py or so?

  22. MarcoFalke commented at 8:39 AM on August 29, 2020: member

    cr ACK 0374e821bd9e9498ce9c03aa8e5435870019978b

    Hardcoding the hashes is equivalent from a trust perspective to hardcoding a gpg fingerprint and adding it to a keyring with ultimate trust.

    The hashes will need to be updated whenever a new previous release is added to the tests, but that seems acceptable.

  23. luke-jr commented at 4:58 PM on August 29, 2020: member

    I noticed gitian building old releases doesn't match anymore, but since this only affects the downloader script (not the tests themselves), concept ACK.

  24. MarcoFalke commented at 5:10 PM on August 29, 2020: member

    I noticed gitian building old releases doesn't match anymore

    guix fixes this (maybe)

  25. Sjors commented at 12:16 PM on August 30, 2020: member

    tACK 0374e821bd9e9498ce9c03aa8e5435870019978b

  26. Sjors cross-referenced this on Aug 31, 2020 from issue test: add v0.20.1, v0.21.0 and v22.0 to backwards compatibility test by Sjors
  27. MarcoFalke merged this on Aug 31, 2020
  28. MarcoFalke closed this on Aug 31, 2020
  29. hebasto deleted the branch on Aug 31, 2020
  30. sidhujag referenced this in commit dd6081216a on Aug 31, 2020
  31. laanwj referenced this in commit 4053de04e2 on Sep 3, 2020
  32. bitcoin locked this on Feb 15, 2022
Contributors
hebastoDrahtBotpracticalswiftlaanwjMarcoFalketheStackSjorsluke-jr
Labels
Scripts and tools
Linked (view graph)
#19013 test: add v0.20.1, v0.21.0 and v22.0 to backwards compatibility test #19205 script: previous_release.sh rewritten in python#19812 ci: previous_release.py fails for C++17 Travis job on forked repo
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 12:53 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me