[QA] beta5: *.tar.xz.asc *.pkg.sig files are missing

[jnweiger]

According to

• checklist https://github.com/owncloud/client/blob/master/.github/patch_release_template.md line 18

A signature file (*.asc) should be next to the source tar.xz file. https://download.owncloud.com/desktop/ownCloud/testing/2.7.0.2141-v270beta5/source/

[jnweiger]

The release ticket #7966 and template has a dead link: https://github.com/owncloud/enterprise/wiki/Desktop-Signing-Knowledge
The wiki got removed :-(

[jnweiger]

Previously -- when all was in one huge testing folder -- we had these files:

~/bin/mc ls $testing | grep 2020-01-28 | grep -v 13406
[2020-01-28 16:33:44 CET]   20MiB ownCloud-2.6.1.13096.pkg
[2020-01-28 16:33:16 CET]     65B ownCloud-2.6.1.13096.pkg.sig
[2020-01-28 16:33:45 CET]   20MiB ownCloud-2.6.1.13096.pkg.tbz
[2020-01-28 16:33:16 CET]     65B ownCloud-2.6.1.13096.pkg.tbz.sig
[2020-01-28 17:20:31 CET]   25MiB ownCloud-2.6.1.13407.13049.GPO.msi
[2020-01-28 17:20:31 CET]   26MiB ownCloud-2.6.1.13407.13049.msi
[2020-01-28 16:33:43 CET]   18MiB ownCloud-osx10.11-2.6.1.13096.pkg
[2020-01-28 16:33:17 CET]     65B ownCloud-osx10.11-2.6.1.13096.pkg.sig
[2020-01-28 16:33:45 CET]   18MiB ownCloud-osx10.11-2.6.1.13096.pkg.tbz
[2020-01-28 16:33:17 CET]     65B ownCloud-osx10.11-2.6.1.13096.pkg.tbz.sig
[2020-01-28 16:07:45 CET]  1.2KiB owncloud-client-2.6.1.2071.linux-repo.html
[2020-01-28 15:58:01 CET]   16MiB owncloudclient-2.6.1.13407.tar.xz
[2020-01-28 15:58:01 CET]    833B owncloudclient-2.6.1.13407.tar.xz.asc

@dschmidt is that missing in the upload script

[jnweiger]

@dschmidt RC1 also misses the asc file in the source folder.

[michaelstingl]

.pkg.sig shouldn’t be needed. Mac updater only needs the .pkg.tbz.sig

[dschmidt]

.pkg.sig shouldn’t be needed. Mac updater only needs the .pkg.tbz.sig

Yeah, I think that's why they were removed. Need to check tarball .asc.

[TheOneRing]

the the above answer

[jnweiger]

Rechecked with rc3, not fixed. the asc file is missing in the source folder, pkg.tbz.sig is missing in the mac folder:
https://download.owncloud.com/desktop/ownCloud/testing/2.7.0-rc3.2413/source/

Screenshot from 2020-11-10 17-44-11

[TheOneRing]

@dschmidt

[jnweiger]

With @dschmidt's fixes, signatures start to appear:

• https://download.owncloud.com/desktop/ownCloud/daily/2.7/mac/?sort=time&order=desc now has

  • owncloudclient-2.7.1-daily20201117.2485.pkg
  • owncloudclient-2.7.1-daily20201117.2485.tbz.sig
    (but no owncloudclient-2.7.1-daily20201117.2485.tbz and no owncloudclient-2.7.1-daily20201117.2485.pkg.sig)

• https://download.owncloud.com/desktop/ownCloud/daily/2.7/source/?sort=time&order=desc
  is still at owncloudclient-2.7.1-daily20201116.* (no update tonight)

[jnweiger]

wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/source/ownCloud-2.7.1.2530.tar.xz.asc
wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/source/ownCloud-2.7.1.2530.tar.xz
gpg --verify ownCloud-2.7.1.2530.tar.xz.asc  ownCloud-2.7.1.2530.tar.xz

gpg: Signature made Wed 18 Nov 2020 12:58:01 PM CET
gpg: using RSA key F05F7DD7953A07DF36579DAA498C45EBE94E7B37
gpg: Good signature from "ownCloud Client Team (Signing Key) [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F05F 7DD7 953A 07DF 3657 9DAA 498C 45EB E94E 7B37

wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/mac/ownCloud-2.7.1.2530.pkg.tbz.sig
wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/mac/ownCloud-2.7.1.2530.pkg.tbz
gpg --verify ownCloud-2.7.1.2530.pkg.tbz.sig ownCloud-2.7.1.2530.pkg.tbz

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

I am okay with the warning on the .asc signature as long as it is GOOD.

@dschmidt the macos .sig file is a diferent beast, is it?

[dschmidt]

Yeah, it is an openssl signature ...
The public key is here https://github.com/owncloud/client/blob/master/admin/osx/sparkle/dsa_pub.pem

[dschmidt]

wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/mac/ownCloud-2.7.1.2530.pkg.tbz.sig          
wget https://download.owncloud.com/desktop/ownCloud/testing/2.7.1.2530/mac/ownCloud-2.7.1.2530.pkg.tbz
wget https://raw.githubusercontent.com/owncloud/client/master/admin/osx/sparkle/dsa_pub.pem 
wget https://raw.githubusercontent.com/owncloud/client/master/admin/osx/sparkle/sign_verify.sh

chmod +x sign_verify.sh
./sign_verify.sh dsa_pub.pem ownCloud-2.7.1.2530.pkg.tbz "$(cat ownCloud-2.7.1.2530.pkg.tbz.sig)"

->

Verified OK

edit:
simplified after adding the sign_verify.sh to master.

[jnweiger]

Thanks you!