-
Theo[m]1
I wish more open source projects would use reproducible builds. No one can build everything they use, so we should be able to use binaries directly without having to trust a single person/entity
-
Theo[m]1
Do you know if there are any automated ways to check that at least some amount of people that you trust have verified a build before installing it ? It would be nice but I don't think it's widespread enough
-
Theo[m]1
I belive this verification is done manually for monero right ?
-
shroomreactionar
"Excuse me friend, can you please run sha512sum on your monero build"
-
rock[m]
lmao
-
g0d0h932
hi
-
monerobull[m]
Seth For Privacy till when does this need to be done? I want to try contributing
-
sethsimmons
<monerobull[m]> "Seth For Privacy till when..." <- Ideally before release, but its never too late really!
-
sethsimmons
<Theo[m]1> "Do you know if there are any..." <- What do you mean "automated"?
-
sethsimmons
Some way to simply compare all of the signed hashes people produce?
-
monerobull[m]
sethsimmons: Is 6 hours from now enough ๐
?
-
sethsimmons
Its always helpful, even after release, so a great chance to become familiar with the process either way ๐
-
sethsimmons
Would recommend the Docker approach:
-
sethsimmons
-
moneromooo
monero-update checks for >= 2 agreeing hashes from a set of trusted people IIRC.
-
moneromooo
Trusted in this context being... hyc iDunk and a couple others.
-
Halver[m]
-
Halver[m]
It's 1st time and it seems to work (not finished).
-
Halver[m]
The scripts are doing quite all the job, so, not so complicated.
-
Halver[m]
Thanks to the people who write the scripts.
-
Halver[m]
-
hyc
that's the idea. i wanted a simple automation that anyone can do...
-
hyc
and the scripts themselves are also simple, anyone can read them to verify what they do
-
sethsimmons
Thankful for the Dockerized approach, much more easy to cleanup after and a bit simpler to follow ๐
-
hyc
I got sick of polluting my main dev machine
-
hyc
and having my dev environment break after every OS upgrade
-
monerobull[m]
In trying to figure out PGP right now with the gpg frontend, why does it say my signed messages are "NOT fully valid"?
-
sethsimmons
Did you have the private key imported/created before running it? Did you accept to sign at the prompt? What exact output did it give?
-
monerobull[m]
I generated a private/pub key, put "test message 3" into the editor field, clicked sign, clicked verify
-
monerobull[m]
Verify report says success
-
monerobull[m]
> It contains:
-
monerobull[m]
A signature NOT fully valid.
-
monerobull[m]
Signed by: testsignature<test3โgc>
-
LyzaL
I think you have to tell gpg that keys come from a trusted source to avoid that warning.... although it should prolly be automatically marked trusted if you generated it yourself heh
-
monerobull[m]
Alright so it only says that because it isn't a "trusted key"
-
sethsimmons
Yes, just run `gpg --edit-key [key-id]` and then `trust` and set to ultimate trust (5).
-
monerobull[m]
Worked
-
monerobull[m]
Good signature fully valid
-
sethsimmons
Awesome ๐
-
monerobull[m]
How do I now check something you guys signed is valid?
-
monerobull[m]
Like your PR Seth For Privacy
-
sethsimmons
Did you answer yes to signing when running the dockrun.sh script?
-
sethsimmons
If so the directory will be in `sigs` there.
-
monerobull[m]
I only have gpg installed, didnt do any of the monero gitian stuff yet
-
sethsimmons
Ah
-
sethsimmons
-
sethsimmons
-
Rucknium[m]
monero-guides: I sense a Monero Guide in the making ^
-
monerobull[m]
Holy moly I've been struggling the whole day to get my mint vm updated. I wasn't logged into the firewall...
-
monerobull[m]
So can I sign with my monero secret key or will i need a seperate PGP key?
-
sethsimmons
You sign with a PGP key, up to you which one but you'll have to publish the public key as part of the gitian.sigs repo.
-
hyc
sethsimmons: did you by any chance run the dockrun script once before downloading the Mac SDK?
-
sethsimmons
Yes
-
hyc
then that's why you didn't get it.
-
sethsimmons
Well, I downloaded the SDK in the root monero dir, so it was in the wrong place.
-
sethsimmons
Docs didn't say where to download it, but I can add that as well
-
hyc
dockrun only builds the gitrun container once, and the SDK has to be there at that time.
-
hyc
after that it just uses the container as-is.
-
sethsimmons
Ah makes sense
-
sethsimmons
I'll add dirs to docs
-
hyc
sure. dockrun assumes everything is in the current working directory - contrib/gitian
-
sethsimmons
If DOCKRUN.md will be referred to directly, it needs to include the git clone and cd commands, so I'll add those
-
hyc
which git clone?
-
hyc
I would assume you've already cloned the repo if you're reading the document
-
sethsimmons
of monero source
-
sethsimmons
It's not even mentioned at present in the DOCKRUN.md doc
-
hyc
right, because you already have the repo if you have the file to read.
-
sethsimmons
But that won't be the case necessarily for people sent straight there via URL
-
sethsimmons
Most people won't be vim'ing the md file, they'll be reading it on Github itself.
-
hyc
meh.
-
hyc
we have to draw the line somewhere. you have to know how to use git
-
sethsimmons
-
sethsimmons
-
sethsimmons
Yes, but I don't think the line should include you knowing what source to clone and what directory to be in ๐
-
hyc
those steps won't make sense / would be redundant once you're actually reading the file from your own soure tree
-
sethsimmons
Like I said, I don't think that's the majority of people, and the Docker setup is a good "beginner" approach.
-
hyc
the docker setup requires you to know how to use docker
-
hyc
so we're already excluding total beginners
-
hyc
and that's ok.
-
hyc
it requires you to know how to install docker on your machine
-
hyc
it thus requires you to be able to responsibly use sysadmin privs without blowing things up
-
sethsimmons
It's just a minor change that adds much-needed context/initial steps.
-
hyc
ok fine. yeah it's a small change.
-
sethsimmons
hyc: It doesn't, though, it includes the basic steps to install and prep Docker, and rightly so.
-
sethsimmons
And includes all Docker commands necessary to complete and verify the builds.
-
sethsimmons
This is just a small piece of missing context, I certainly don't want to add a beginner guide to git or Docker, but to run the process start to finish the clone/cd are required steps that shouldn't be assumed, IMO.
-
sethsimmons
I pushed the commit with the changes to
monero-project/monero #8101
-
hyc
ok
-
hyc
now just need to add a note about the out/ directory
-
sethsimmons
Starting a clean build including mac builds now
-
sethsimmons
hyc: Ah, yes
-
hyc
oh also you could just docker cp the SDK file into the gitrun container
-
hyc
no need to tear it all down and start over
-
sethsimmons
Meh good way to test and already done ๐
-
sethsimmons
But that would have been much faster for sure lol
-
hyc
heh ok
-
sethsimmons
Will add the out notes once the first build is done and I can validate the dir
-
hyc
ok
-
Halver[m]
Results from my gitian builds :
-
Halver[m]
-
Halver[m]
seems inline with others.
-
Halver[m]
apple build and sig is missing because I missed it. Sorry.
-
Halver[m]
I'll now try to do the GPG things.
-
sethsimmons
Nice!
-
kinghat[m]
i dont think being verbose in instructions is bad. im not a docker or git wizard, with only cursory knowledge, it can help dummies like me.
-
masterbob79[m]
I do not like docker. systemd makes more sense to me. this stuff is still new to me
-
masterbob79[m]
copy and paste, it's what I do. hahaha
-
Theo[m]1
<moneromooo> "monero-update checks for >= 2..." <- thanks that's exactly what I was asking ๐
-
Theo[m]1
is this done by the devs before publishing the binaries or localy before updating ?
-
Halver[m]
I have forked monero/gitian.sigs on my own github (
github.com/HoverHalver/gitian.sigs)
-
Halver[m]
-
Halver[m]
I'm doing this using Tor, but the file refuses to upload.
-
Halver[m]
I wonder that it's probably github which dislikes me using Tor ?
-
sethsimmons
Just cat the file and copy+paste, and name the same as your Github username (i.e. HoverHalver.asc)
-
sethsimmons
Add file>Create new file
-
Halver[m]
Thanks Seth, this way works.
-
sethsimmons
Nice
-
Halver[m]
Still using Tor, I encounter (of course) the same issue when I try eg to upload my sig folder
-
Halver[m]
-
Halver[m]
I guess I will either have to use vanilla Firefox or use git command lines.
-
Halver[m]
in which case I guess such uploading probably leaks my IP to github.com
-
Halver[m]
s/./,/
-
Rucknium[m]
Halver: torsocks (more preferred I think) or torify (less preferred I think) plus git commands should work on Linux.
-
Halver[m]
in order to do `git commit ...`
-
Halver[m]
git asks for an email an a name.
-
Halver[m]
Not sure if giving a fake email will work (?)
-
Halver[m]
afk
-
moneromooo
It won't, since it'll double check with the password number it asks you afterwards.
-
moneromooo
passport*
-
moneromooo
(though anything with a @ works IIRC, it's just being a pain about asking)
-
woodser[m]
spirobel you can call `MoneroUtils.getIntegratedAddress(networkType, address, paymentId)` with the monero-javascript-v0.5.9 release