How I sign a LNTOP binary
I am always amazed that someone, somewhere, is running my code or a
binary built from it. Since I released a little software named
lntop
a few years ago, I
receive sometimes notifications from people asking for help or
new features and new release tags.
Because lntop
is native to the terminal, it was added to the
RaspiBolt guide as a little
optional tool for the cli-lover node operator. RaspiBolt developers
asked me
about binaries release especially for ARM64 for their raspberry pi
users and I felt happily obliged to answer their request.
But, releasing binary is introducing a sort of responsibility from me
toward the people who will download it. Releasing code only is
convenient, people have to read it and then run it before making you
responsible for their loss. With a binary, they trust the platform
hosting it and the developer who compiled it.
For safety and for their (and my) peace of mind, I gpg-key signed
the last lntop
releases.
I compiled the lntop binary for arm64 and paste the command, the tag
version of lntop
and the go
version I used
in a RELEASE.md file.
git checkout tags/v0.3.0
go version go1.16.4 linux/amd64
GOOS=linux GOARCH=arm64 go build ./cmd/lntop
I created a directory with the release file, the binary and the LICENSE.
release-v0.3.0
├── LICENSE
├── lntop
└── RELEASE.md
gzip and tar it:
tar -czf lntop-v0.3.0-Linux-arm64.tar.gz release-v0.3.0
got the sha256 checksum in a file:
git checkout tags/v0.3.0
sha256sum -b lntop-v0.3.0-Linux-arm64.tar.gz > checksums-lntop-v0.3.0.txt
gpg-key signed the checksum file:
gpg --detach-sig --sign --default-key a8ba... checksums-lntop-v0.3.0.txt
I attached to the github release page of lntop@v0.3.0
the files:
lntop-v0.3.0-Linux-arm64.tar.gz
, checksums-lntop-v0.3.0.txt
and checksums-lntop-v0.3.0.txt.sig
.
If someone wants to download and verify that the archive is the one I created and signed, he/she can run:
sha256sum --check checksums-lntop-v0.3.0.txt
gpg --verify checksums-lntop-v0.3.0.txt.sig checksums-lntop-v0.3.0.txt
My gpg key fingerprint is in my twitter bio. Finally the binary and release files are extracted with:
tar -ztvf lntop-v0.3.0-Linux-arm64.tar.gz