How I sign a LNTOP binary
I am always amazed that someone, somewhere, is running my code or a
binary built from it. Since I released a little software named
lntop a few years ago, I
receive sometimes notifications from people asking for help or
new features and new release tags.
lntop is native to the terminal, it was added to the
RaspiBolt guide as a little
optional tool for the cli-lover node operator. RaspiBolt developers
about binaries release especially for ARM64 for their raspberry pi
users and I felt happily obliged to answer their request.
But, releasing binary is introducing a sort of responsibility from me
toward the people who will download it. Releasing code only is
convenient, people have to read it and then run it before making you
responsible for their loss. With a binary, they trust the platform
hosting it and the developer who compiled it.
For safety and for their (and my) peace of mind, I gpg-key signed
I compiled the lntop binary for arm64 and paste the command, the tag
lntop and the
go version I used
in a RELEASE.md file.
git checkout tags/v0.3.0 go version go1.16.4 linux/amd64 GOOS=linux GOARCH=arm64 go build ./cmd/lntop
I created a directory with the release file, the binary and the LICENSE.
release-v0.3.0 ├── LICENSE ├── lntop └── RELEASE.md
gzip and tar it:
tar -czf lntop-v0.3.0-Linux-arm64.tar.gz release-v0.3.0
got the sha256 checksum in a file:
sha256sum -b lntop-v0.3.0-Linux-arm64.tar.gz > checksums-lntop-v0.3.0.txt
gpg-key signed the checksum file:
gpg --detach-sig --sign --default-key a8ba... checksums-lntop-v0.3.0.txt
I attached to the github release page of
email@example.com the files:
If someone wants to download and verify that the archive is the one I created and signed, he/she can run:
sha256sum --check checksums-lntop-v0.3.0.txt gpg --verify checksums-lntop-v0.3.0.txt.sig checksums-lntop-v0.3.0.txt
My gpg key fingerprint is in my twitter bio. Finally the binary and release files are extracted with:
tar -ztvf lntop-v0.3.0-Linux-arm64.tar.gz