From d080c27066449f76bc8709fc50e422757971d2cf Mon Sep 17 00:00:00 2001 From: Andrew Chow Date: Thu, 22 Jul 2021 18:25:06 -0400 Subject: [PATCH] guix, doc: Add a note that codesigners need to rebuild after tagging One of the issues observed during the 22.0rc1 release process was that a codesigner's attestation mismatched non-codesigner attestations because the guix-codesign step was performed prior to tagging the version in bitcoin-detached-sigs. --- doc/release-process.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/release-process.md b/doc/release-process.md index e375ae976a..c57fa5b23a 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -160,6 +160,9 @@ Codesigner only: Sign the windows binaries: Enter the passphrase for the key when prompted signature-win.tar.gz will be created +Code-signer only: It is advised to test that the code signature attaches properly prior to tagging by performing the `guix-codesign` step. +However if this is done, once the release has been tagged in the bitcoin-detached-sigs repo, the `guix-codesign` step must be performed again in order for the guix attestation to be valid when compared against the attestations of non-codesigner builds. + Codesigner only: Commit the detached codesign payloads: ```sh