great, mine match yours as well again iDunk.

I hope we can move to a system where we can really pin down everything at some point in time.

eh/ so I need to rebuild once more?

I did `sha256sum *` in the out folder, I did not find where the `monero-*-0.15-res.yml` files are.

but the hashes seem to match

any plans for a dockerized build environment?

okay, found it: paste.debian.net/hidden/e8407c35

Today's research meeting in #monero-research-lab will be at 17:00 UTC (not 18:00 UTC), which is about two hours from now

selsta the sigs generation fixes did not make it into the release, so the result files manually need to be copied to the sigs.

Meeting in #monero-research-lab will start in about 5 minutes or so

Can you send me a signed message with the hashes you got at binaryfate⊙go?

iDunk, scoobybejesus, TheCharlatan, hyc ^ (and anyone else!)

Are you familiar with github.com/monero-project/gitian.sigs ?

I’m not so I sent bF the my signed hashes + my binaries

but maybe we should use the gitian sigs process

iDunk: does it matter if my .yml hashes don’t match?

No, it just means the contents of our caches differ.

I'll have a look, as long as I can check sigs I'm happy :) Will wait couple of days to do together with GUI release anyway

as long as the binaries' hashes match that's really all we care about. but I see differences in base ubuntu pkg revisions too

the .yml file is an inventory of all installed packages, plus the locally built dependencies

the only way for them to all match is if we all start from scratch on the same day, a day when there are no ubuntu updates being released

:)

hm, my build has gcc 7.5

I PRed my asserts, you can check them for differences.

iDunk are the hashes posted on reddit your latest?

my build matches yours, doesn't match the other 2

No, I don't think they were updated on Reddit.

bah.

ok I'm going to blow away my cache tree and start again

oh hm I already did that :P just noticed the output on the terminal now

Build and forget :)

yes I’ll update Reddit and PR assets later

my new build matches your latest paste.debian.net/1134534

.yml files are still different, that was still reusing my cache tree

Yeah, I deleted old stuff after my first build with gcc 7.5.0 and rebuilt.

binaryFate do you still want a signed email, instead of the gitian sigs?

seems to me we should just go with gitian...

Same here.

PR'd to sig repo

Hey, guys might it be possible that monerod cant run stable on 2gb ram without the swap activated?Im running my monerod on 4gb ram machine that is always in sync for some days but then it suddenly stopsWith memory allocation failedShould be a ram problem,right?

mine is currently using 3GB of RAM

has been up 82 days

Ah ok. So it's the ram...

Just wanted to be sure.

4gb for a pool software and monerod is probably not enough

Should I see .assert and .assert.sig in sigs/v0.15.0.5-linux/scoobybejesus/ ? I only have .assert files. Perhaps I need to have a PGP key linked to my GH user or something? .. cuz I don't have one.

you need to have a PGP key, certainly

and for your signed commits to mean anything, yes, you have to attach the key to your github account

Makes sense. Maybe I'll do that. Thanks!

mooo did not link his key to his github account so that people verify themselves :P

And commit your gpg key to the repo(s) if you haven't already.

anyway, the .sig files aren't created for you, you have to run gpg yourself to create them. that step is in the gitian/README.md

hyc: your commit signatures still use SHA1 algo digest. I had to mod my gpg.conf after mooo's heads up and now my sigs use SHA512.

iDunk: what GPG version are you using?

what git*

doh

gpg 1.4.20, git 2.7.4 in Ubuntu 16.04.

There's also gpg 2.1.11 installed, but I always used gpg instead of gpg2.

I think recent git uses sha512 by default

iDunk so are the .sig files in my PR OK or should I re-sign the asserts?

<hyc> binaryFate do you still want a signed email, instead of the gitian sigs? <--- no gitian sigs are perfect thanks

hyc: Up to you. moneromooo, what do you think ?

Add "personal-digest-preferences SHA256" to gpg.conf

256 or 512?

Not a blocker for me since more people are confirming anyway

ok

You can add several.

Either is fine, both 256 and 512 are SHA2

I can regenerate the commit and force-push if necessary

no need as far as I'm concerned

ok

hm, I set that in gpg.conf but when I rerun the command to sign the assert file it still used SHA1

if I explicitly run with --digest-algo then it will use the algo I chose

Hmm, it worked here. I checked my commit and it used digest algo 10 (SHA512) instead of algo 2 (SHA1). I didn't do anything to my .gitconfig file.

strange

I haen't actually tried a new git commit yet. I'm just talking about manually signing a .assert file

Maybe gpg caches stuff like it caches the password for a brief while. Maybe try in a new terminal.

How much work is it to resign ? If it's "rebuild it all" I would not bother as long as the gitian hashes match iDunk's.

I was thinking I would just recreate the *.sig files and push a new commit

It's a separate gpg command (or five).

now that I’ve went through the whole reproducible builds process, it’s a really nice system :D

Then might as well re-sign.

yes, now that a number of us have bled over it, the process works pretty well

using --personal-digest-preferences explicitly on the commandline is also ignored

the result uses SHA1

gpg 2.2.12

Updating git was enough for at least one person.

grumble grumble

this is ubuntu 19.10, I don't see a newer git in its pkg repo

I have 2.21.1, which can sign with SHA256.

this is 2.20.1

hm

I don't know the threshold though.

I can't even get git to show me the signature algorithm. it just says it's a valid sig.

stupid git

I worked out how to do this, let me see if I can find it again

git log --show-signature --format=raw -1

I remember your walkthrough mooo, should be in the logs.

Copy the sig

gpg --verify -vvv sigfile

gpg --verbose -v -v -v --verify

Then paste the stuff starting with "-----BEGIN PGP SIGNATURE-----" which you get with:

git log --show-signature --format=raw

You'll see a line with: digest algo 2,

ok

2 is SHA1. 8 is SHA256.

yeah says algo 2

mine is also algo 8 without any config settings, gpg (GnuPG) 2.2.19, git version 2.25.1

what OS distro is that?

mac

TheCharlatan: looks like your gpg keys expired in October.

i guess I can self-build them. bleah

It's up-to-date, maybe I uploaded an old pubkey. You can get it up-to-date from some key servers.

If I set digest-algo in gpg.conf it uses that. so it's just ignoring the personal-pref thing

It's the key that's in gitian-pubkeys.

I'll update it in a separate pr.

The one in monero/utils/gpg_keys looks good.

thanks for checking :)