Skip to content
This repository has been archived by the owner on Nov 15, 2022. It is now read-only.

Add bindings PGP public key and documentation on how to verify signat… #94

Merged
merged 2 commits into from
Oct 3, 2022
Merged

Add bindings PGP public key and documentation on how to verify signat… #94

merged 2 commits into from
Oct 3, 2022

Conversation

thunderbiscuit
Copy link
Member

This PR adds our public PGP key to the repository, as well as documentation on how to use it to verify signatures on the bdk-jvm and bdk-android artifacts.

@thunderbiscuit thunderbiscuit self-assigned this Sep 23, 2022
@thunderbiscuit thunderbiscuit added this to the Release 0.10.0 milestone Sep 23, 2022
@notmandatory
Copy link
Member

notmandatory commented Sep 24, 2022
edited
Loading

I think the "Verify Signatures" section can be simplified as below. Users at a minimum only need to verify the binary artifact signatures match the corresponding .asc file. I don't think they also need to manually check the hashes, checking hashes is done with bitcoin core binaries, but it's a more involved process allowing multiple independent people to provide signatures.

Verify Signatures

Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the
root of this repository. To verify the signatures follow the below steps:

  1. Import the PGP key in your keyring. 
     # Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
 gpg --import ./PGP-BDK-BINDINGS.asc
 
 # Alternatively, you can import the key directly from a public key server
 gpg --keyserver keyserver.ubuntu.com --receive-key 2768C43E8803C6A3
 
 # Verify that the correct key was imported
 gpg --list-keys
 
 # You should see the below output
 pub   ed25519 2022-08-31 [SC]
       88AD93AC4589FD090FF3B8D12768C43E8803C6A3
 uid           [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
 sub   cv25519 2022-08-31 [E]
  2. Download the binary artifacts and corresponding signature files.
    • from [bdk-jvm]
      • bdk-jvm-<version>.jar
      • bdk-jvm-<version>.jar.asc
    • from [bdk-android]
      • bdk-android-<version>.aar
      • bdk-android-<version>.aar.asc
  3. Verify the signatures. 
    gpg --verify bdk-jvm-<version>.jar.asc 
gpg --verify bdk-android-<version>.aar.asc

# you should see a "Good signature" result
gpg: Good signature from "bitcoindevkit-bindings <bindings@bitcoindevkit.org>" [unknown]

@thunderbiscuit
Copy link
Member Author

Good ideas. I fixed it all! Ready for re-review.

@thunderbiscuit
Copy link
Member Author

This PR fixes #85.

notmandatory
notmandatory approved these changes Oct 3, 2022
View reviewed changes
Copy link
Member

@notmandatory notmandatory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 8e7062c

Thanks for the updates!

@thunderbiscuit thunderbiscuit merged commit 3a0fe79 into bitcoindevkit:master Oct 3, 2022
@thunderbiscuit thunderbiscuit mentioned this pull request Oct 4, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@notmandatory notmandatory notmandatory approved these changes

Assignees

@thunderbiscuit thunderbiscuit

Labels
None yet
Projects
No open projects
BDK-Kotlin Roadmap
Status: Done
Milestone
Release 0.10.0
Development

Successfully merging this pull request may close these issues.
2 participants
@thunderbiscuit @notmandatory