Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify GPG signature in installation script #1949

Merged
merged 2 commits into from
Nov 22, 2016
Merged

Verify GPG signature in installation script #1949

merged 2 commits into from
Nov 22, 2016

Conversation

Daniel15
Copy link
Member

@Daniel15 Daniel15 commented Nov 19, 2016
edited
Loading

Summary
When installing Yarn via the install script, check the integrity of the tarball.

I'm using the same GPG key we use to sign the Debian repo, and have already signed the existing releases. The GPG signature sits alongside the tarball in the GitHub release, as an .asc file.

Test plan
Tested locally with various flags:

./install-latest.sh
./install-latest.sh --nightly
./install-latest.sh --version 0.17.6

daniel@Daniel-PC:/mnt/c/src/yarn/scripts$ ./install-latest.sh --nightly
Installing Yarn!
> Downloading tarball...

[1/2]: https://nightly.yarnpkg.com/latest.tar.gz --> /tmp/tmp.ghxlavTdks
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 3525k  100 3525k    0     0  1861k      0  0:00:01  0:00:01 --:--:-- 4231k

[2/2]: https://nightly.yarnpkg.com/latest.tar.gz.asc --> /tmp/tmp.ghxlavTdks.asc
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   801  100   801    0     0   6609      0 --:--:-- --:--:-- --:--:--  6609
> Verifying integrity...
gpg: Signature made Sat 19 Nov 2016 12:37:47 AM STD using RSA key ID FD2497F5
gpg: Good signature from "Yarn Packaging <yarn@dan.cx>"
Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
     Subkey fingerprint: 6A01 0C51 6600 6599 AA17  F081 46C2 130D FD24 97F5
> GPG signature looks good
> Extracting to ~/.yarn...
> Adding to $PATH...
> We've added the following to your /home/daniel/.bashrc
> If this isn't the profile of your current shell then please add the following to your correct profile:

export PATH="$HOME/.yarn/bin:$PATH"

> Successfully installed Yarn 0.18.0-20161118.2135! Please open another terminal where the `yarn` command will now be available.

Closes #1923

@Daniel15 Daniel15 mentioned this pull request Nov 19, 2016
Closed
@wyze
Copy link
Member

wyze commented Nov 19, 2016

I think some logic got out of place here, this is what happens for me on a fresh Ubuntu VM:

master

$ ./install-latest.sh
Installing Yarn!
> ~/.yarn already exists, possibly from a past Yarn install.
> Remove it (rm -rf ~/.yarn) and run this script again.

gpg-verify

$ ./install-latest.sh
> Yarn is already at the 0.17.6 version.
> Downloading tarball...
[...]
> Verifying integrity...
[...]
> GPG signature looks good
> Extracting to ~/.yarn
mkdir: cannot create directory '.yarn': File exists

@Daniel15
Copy link
Member Author

@wyze - That's strange, I didn't touch the "~/.yarn already exists" logic 😕

@Daniel15
Copy link
Member Author

Daniel15 commented Nov 21, 2016
edited
Loading

@wyze - I see the same behaviour both with and without this change. It seems like that's a regression that happened elsewhere, not directly related to my changes. Possibly #1928?

@Daniel15
Copy link
Member Author

Going to merge this since I don't think that issue is directly related, it might have broken with a different PR.

@Daniel15 Daniel15 merged commit 47ffc52 into yarnpkg:master Nov 22, 2016
@Daniel15 Daniel15 deleted the gpg-verify branch November 22, 2016 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Daniel15 @wyze