This repository is for deterministic build results for GoByte releases.
See the release process in the GoByte repository for how to deterministically build binaries and then pgp-sign them.
Instructions for setting up a virtual machine in which you can gitian build as well as public keys of developers and active contributors can also be found there.
You can verify PGP signatures produced by a specific author (e.g. with a nickname some_food
)
for a specific version (e.g. 0.9.9.9) via a simple bash script like this:
export VERSION=0.9.9.9 && export PR_AUTHOR=some_food \
&& gpg --status-fd 1 --verify-files $VERSION-{osx-*,win-*,linux}/$PR_AUTHOR/*.sig 2>/dev/null | grep -e GOODSIG \
&& gpg --status-fd 1 --verify-files $VERSION-{osx-*,win-*,linux}/$PR_AUTHOR/*.sig 2>/dev/null | grep -e BADSIG -B4 | grep -e BADSIG -e FILE_START
This should produce a few lines like
[GNUPG:] GOODSIG 9999999999999999 some_food <some_food@some_plate.org>
or something like
[GNUPG:] FILE_START 1 0.9.9.9-win-signed/some_food/gobyte-win-signer-build.assert.sig
[GNUPG:] BADSIG 9999999999999999 some_food <some_food@some_plate.org>
if there is a bad signature.