Commit 1a5b6025 authored by anonym's avatar anonym
Browse files

Release process: fixup the reproducible release process.

Actually, we had made a point about "a compromised RM system can block
arbitrary outgoing communication (e.g. email) so it cannot be trusted
to initiate a check" so the check should not be initialized by the RM.

Will-fix: #12629
parent 748f385d
......@@ -58,22 +58,28 @@ In a directory with many Tails ISO images:
# Reproducibility
This section is done by the RM.
## For the RM
When you sent the release schedule you asked for someone to reproduce
this Tails release. Adjust the "variables" (prefixed with `$$`) and
`XXX...` placeholders below, and send this as a signed email to
this person.
Substitute the "variables" (prefixed with `$$`, e.g. your would
replace `$$TAG` with `3.0-rc1` if we are testing 3.0~rc1) and
`XXX...` placeholders in the next section.
<div class="note">
It is important that you do not plug your OpenPGP smart card after
sending this email! If you have to, notify the person that s/he has to
start from the beginning if s/he has already started with the steps in
the email.
Beware! If your have to plug your OpenPGP smart card again after
having done the above substitution, it invalidates *everything* that
has been done for this test so far, so it has to be started completely
from the beginning.
## For anyone _but_ the RM
Find the "Trusted Reproducer" for this Tails release in the
[[contribute/calendar]]. and send this as
a signed email to this person.
Hi, Trusted Reproducer!
You signed up for reproducing Tails $$VERSION. The deadline for doing so
......@@ -83,10 +89,11 @@ the email.
* You need this in your environment:
* And these, that you have to figure out yourself what to set to:
......@@ -115,16 +122,21 @@ the email.
Please `cd` to your Tails Git repo, and run:
git fetch && \
git checkout $TAG
Make sure the current commit is:
git checkout "${TAG_COMMIT:?}" && \
if [ "$(git describe --tags --exact-match)" = "${TAG:?}" ]; then
git tag -v "${TAG}"
echo 'TAG_COMMIT and TAG does not match!'
* If the last output is a "Good signature" for the expected tag, made by
Tails signing key, then we are good.
If not, immediately contact me! Proceeding with the rest of the steps
are pointless in this case, so await my instruction.
* Otherwise, if you see _anything_ else, we're _not_ good; immediately
contact the RM and tails@! Proceeding with the rest of the steps
are pointless in this case, so await instruction.
If the commit id checks out, let's build Tails!
Next, let's build Tails!
export SOURCE_DATE_EPOCH=$(date --utc --date="$(dpkg-parsechangelog --show-field=Date)" '+%s') && \
rake build && \
......@@ -136,7 +148,7 @@ the email.
Now we'll start verifying stuff. If there is *any* type of mismatch at some
point, let me and tails@ know *immediately*!
point, let the RM and tails@ know *immediately*!
Compute the SHA-512 hashes of your products with:
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment