-
Notifications
You must be signed in to change notification settings - Fork 438
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add intro for release signing and release archive
- Loading branch information
1 parent
1c79152
commit e274fd4
Showing
2 changed files
with
30 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Release Archive | ||
|
|
||
| This article describes the design ideas of the V2Ray core (v2ray-core) release archive. | ||
|
|
||
| V2Ray use Github Action to build releases. However, Github Action are usaged based billing product and it is not possible to store logs and artifacts in long term without significant cost. | ||
|
|
||
| We instead upload the logs and artifacts to [archive org](https://archive.org/details/v2ray-action-archive-hqfi0pb) with [AutoV2RayActionArchive](https://github.com/xiaokangwang/AutoV2RayActionArchive). You can find expired logs and artifacts there. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Release Signing | ||
|
|
||
| This article describes the design ideas of the V2Ray core (v2ray-core) release signing. | ||
|
|
||
| All stable release of V2Ray are signed in [Signify](https://man.openbsd.org/signify) with a the private key corresponding to | ||
|
|
||
| ``` | ||
| untrusted comment: V2Fly Signing Key | ||
| RWTe6SReSmJUeqoA8cq1MxX7ycL06DAMAJcAgQ8dCN3kFtnWBHYDpTnx | ||
| ``` | ||
|
|
||
| The file being signed is a manifest file named 'Release' with the checksums of all binaries, including unzipped content of zip files. | ||
|
|
||
| ## Binary Transparency | ||
|
|
||
| The signed manifest file is published to [rekor](https://github.com/sigstore/rekor) by signing the sha512 hash of the 'Release' file with a topic key. You can generate a list of all the file signed with [rekor-monitor](https://github.com/sigstore/rekor-monitor) with the following commands: | ||
|
|
||
| ``` | ||
| echo 'rekor.sigstore.dev - 2605736670972794746\n86482791\nFehZ1/6CqPAFDaEM1N4xOsFZO1rD6v8nmu8yMjUqzAg=\n\n— rekor.sigstore.dev wNI9ajBEAiBTwFlsQciw2QNcGmPqCfPnArWAV9kgEygav9EeVsa+RgIgC0Q4vazfZksnzDkqpv687OTF99KnwtI8fb9a9pUHoOU=\n' > logInfo.txt | ||
| verifier -monitored-values "$(echo "ZmluZ2VycHJpbnRzOgogIC0gMzk3YzQ1MTJiZDRjMWIxYWQ4MjIxNTAzNDVkMTczNTUwZjRmNmE0NGJlOTM1MzVmZmVlYzRhZTQyZDg2ZGEzMg=="|base64 -d)" --once | ||
| ``` | ||
|
|
||
| The topic key is used to generate a list of hash value submitted to rekor by V2Ray. It is not used for verifying release. The topic key design is necessary as rekor does not support signed message, only detached signature. |