How I sign a LNTOP binary

I am always amazed that someone, somewhere, is running my code or a binary built from it. Since I released a little software named lntop a few years ago, I receive sometimes notifications from people asking for help or new features and new release tags. Because lntop is native to the terminal, it was added to the RaspiBolt guide as a little optional tool for the cli-lover node operator. RaspiBolt developers asked me about binaries release especially for ARM64 for their raspberry pi users and I felt happily obliged to answer their request.

But, releasing binary is introducing a sort of responsibility from me toward the people who will download it. Releasing code only is convenient, people have to read it and then run it before making you responsible for their loss. With a binary, they trust the platform hosting it and the developer who compiled it. For safety and for their (and my) peace of mind, I gpg-key signed the last lntop releases.

I compiled the lntop binary for arm64 and paste the command, the tag version of lntop and the go version I used in a file.

git checkout tags/v0.3.0
go version go1.16.4 linux/amd64
GOOS=linux GOARCH=arm64 go build ./cmd/lntop

I created a directory with the release file, the binary and the LICENSE.

├── lntop

gzip and tar it:

tar -czf lntop-v0.3.0-Linux-arm64.tar.gz release-v0.3.0

got the sha256 checksum in a file:

git checkout tags/v0.3.0
sha256sum -b lntop-v0.3.0-Linux-arm64.tar.gz > checksums-lntop-v0.3.0.txt

gpg-key signed the checksum file:

gpg --detach-sig --sign --default-key a8ba... checksums-lntop-v0.3.0.txt

I attached to the github release page of lntop@v0.3.0 the files: lntop-v0.3.0-Linux-arm64.tar.gz, checksums-lntop-v0.3.0.txt and checksums-lntop-v0.3.0.txt.sig.

If someone wants to download and verify that the archive is the one I created and signed, he/she can run:

sha256sum --check checksums-lntop-v0.3.0.txt
gpg --verify checksums-lntop-v0.3.0.txt.sig checksums-lntop-v0.3.0.txt

My gpg key fingerprint is in my twitter bio. Finally the binary and release files are extracted with:

tar -ztvf lntop-v0.3.0-Linux-arm64.tar.gz