Merge pull request #432 from HathorNetwork/dev

Release v0.27.0

.envrc

@@ -0,0 +1,7 @@
+if [[ $(type -t use_flake) != function ]]; then
+  echo "ERROR: use_flake function missing."
+  echo "Please update direnv to v2.30.0 or later."
+  exit 1
+fi
+
+use flake

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: /
+    schedule:
+        interval: "weekly"
+    target-branch: "dev"
+    labels:
+      - "dependencies"

.github/workflows/e2e.yml

@@ -1,15 +1,15 @@
 name: End-to-end tests
-on:
-  push:
-    branches:
-      - master
-      - dev
-    tags:
-      - v*
-  pull_request:
-    branches:
-      - dev
-      - master
+# on:
+#   push:
+#     branches:
+#       - master
+#       - dev
+#     tags:
+#       - v*
+#   pull_request:
+#     branches:
+#       - dev
+#       - master
 jobs:
   cypress-run:
     runs-on: ubuntu-20.04
@@ -18,15 +18,18 @@ jobs:
         node-version: [14.x]
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        # https://github.com/actions/checkout/releases/tag/v4.0.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: Setup nodejs
-        uses: actions/setup-node@v2
+        # https://github.com/actions/setup-node/releases/tag/v3.8.1
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
         with:
           node-version: ${{ matrix.node-version }}
       # Install NPM dependencies, cache them correctly
       # and run all Cypress tests
       - name: Cypress run
-        uses: cypress-io/github-action@v5
+        # https://github.com/cypress-io/github-action/releases/tag/v6.5.0
+        uses: cypress-io/github-action@59810ebfa5a5ac6fcfdcfdf036d1cd4d083a88f2
         with:
           start: npm start
           wait-on: 'http://localhost:3000'

.github/workflows/main.yml

@@ -18,9 +18,11 @@ jobs:
       matrix:
         node-version: [14.x]
     steps:
-    - uses: actions/checkout@v2
+      # https://github.com/actions/checkout/releases/tag/v4.0.0
+    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
+      # https://github.com/actions/setup-node/releases/tag/v3.8.1
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
       with:
         node-version: ${{ matrix.node-version }}
     - name: Install dependencies
@@ -38,7 +40,8 @@ jobs:
     - name: Unit tests
       run: npm run test -- --coverage
     - name: Upload coverage
-      uses: codecov/codecov-action@v3
+      # https://github.com/codecov/codecov-action/releases/tag/v3.1.4
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d
     - name: Start
       run: npm start & npx wait-on http://localhost:3000
       env:

.gitignore

@@ -34,6 +34,8 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 
+# flake
+.direnv/
 
 *.swp
 *.swo

README.md

@@ -10,14 +10,6 @@ The wallet is developed using Javascript with [React](https://reactjs.org/). We
 
 You can download the newest version of the wallet for each specific platform from the [Releases page](https://github.com/HathorNetwork/hathor-wallet/releases).
 
-### Warning Message for Windows:
-
-We are finishing the process of acquiring the certificates for Windows. While we don't get it you may see a warning message when opening the wallet.
-
-![Warning Windows](https://drive.google.com/thumbnail?id=1B5kLAXUMj4wmrRfmVtiQyoNe6Q7r8s_h&sz=w500-h375)
-
-This screen will show a warning, so you need to click on 'More info'. Another screen will appear, then just click the button 'Run anyway' to start the wallet.
-
 ## Screenshots
 
 The basic view of the wallet.  Note that different types of tokens are made possible in the Hathor Network.  On the left hand side we see both a HTR tab and a MTK tab, for the Hathor token, and a different, ERC-20 like, token.   
@@ -173,6 +165,12 @@ Run `msgmerge pt-br/texts.po texts.pot -o pt-br/texts.po` to merge a pot file wi
 
 Finally, run `make i18n` to compile all po files to json files. You can use `make check_po` to check for problems in translations.
 
+## Release
+
+There is a release guide in [RELEASE.md](/RELEASE.md).
+
+We ship GPG signatures for all release packages. Check our guide in [RELEASING.md#signature-verification](/RELEASING.md#signature-verification) to learn how to verify them.
+
 ## License
 
 Code released under [the MIT license](https://github.com/HathorNetwork/hathor-wallet/blob/dev/LICENSE).

RELEASING.md

@@ -12,4 +12,114 @@ Create a git tag and a new release on GitHub.
 
 # Publishing the new App
 
-## TODO
+In case this is a Hathor release, make sure you also read our internal guide in https://github.com/HathorNetwork/ops-tools/blob/master/docs/release-guides/hathor-wallet.md
+
+1. Run the `release.sh` script, which will clean the environment and build the app for all platforms. The files go to the `dist` folder after the script finishes running. You should get 4 of them: `.AppImage`, `.deb`, `.dmg` and `.exe`.
+
+1. Generate and concatenate the sha256sum for all 4 files with the following command:
+
+```
+for file in *.AppImage *.deb *.dmg *.exe; do sha256sum "$file" >> SHA256SUMS; done
+```
+
+This will generate a SHA256SUMS file containing all hashes, one per line.
+
+1. Sign the SHA256SUMS file with your GPG key:
+
+```
+gpg --armor --output SHA256SUMS.asc --detach-sig SHA256SUMS
+```
+
+This will generate a SHA256SUMS.asc file containing the signature.
+
+1. Optionally, you can ask other signers to follow the same procedure and concatenate their signatures to the SHA256SUMS.asc file. This way we will have more than one person attesting the files.
+
+1. Upload the 4 package files, the SHA256SUMS and the SHA256SUMS.asc to the new GitHub release.
+
+# Signature verification
+
+To verify the signature of one of our packages, you should download it together with the SHA256SUMS and SHA256SUMS.asc files from the same release. The latest release can be found in https://github.com/HathorNetwork/hathor-wallet/releases/latest.
+
+Then, you should verify the SHA256SUMS file with:
+
+```
+sha256sum --ignore-missing --check SHA256SUMS
+```
+
+In the output produced by the above command, you can safely ignore any warnings and failures, but you must ensure the output lists "OK" after the name of the release file you downloaded. For example: `hathor-wallet_0.26.0_amd64.deb: OK`
+
+You'll need to import the public GPG key of our signers to verify the signature. Check [Our public keys](#our-public-keys) to see how to add them to your keyring.
+
+Finally, verify the signature of the SHA256SUMS file with:
+
+```
+gpg --verify SHA256SUMS.asc SHA256SUMS
+```
+
+Ideally, you'll see something like:
+
+```
+gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
+gpg: Good signature from "John Paul (dist sig)" [full]
+```
+
+Which indicates that the signature is valid.
+
+If you didn't import the public keys of our signers, you'll get an error like this:
+
+```
+gpg: Can't check signature: No public key
+```
+
+If you did import the public keys, you may still get a warning like this:
+
+```
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+```
+
+This means you have a copy of the key and the signature is valid, but either you have not marked the key as trusted or the key is a forgery. In this case, at the very least, you should compare the fingerprints for the signatures in [Our public keys](#our-public-keys) with the fingerprints of the keys you have in your keyring. If they match, you can mark the keys as trusted with:
+
+```
+gpg --edit-key <key-id>
+$ trust
+```
+
+## Our public keys
+
+Current releases are signed by one or more of the keys in [./gpg-keys](./gpg-keys). You should download them all and import them with: 
+
+```
+gpg --import *.pgp
+```
+
+After doing so, you can get their fingerprints by listing all your keys:
+
+```
+gpg --list-keys
+```
+
+Compare the fingerprints with our list below to make sure the keys you have are legit.
+
+You can optionally mark the keys as trusted with:
+
+```
+gpg --edit-key <key-id>
+$ trust
+```
+
+Then choose the trust level you want to give to the key.
+
+WARNING: Make sure there are no recent commits altering the existing keys in [./gpg-keys](./gpg-keys) or the fingerprint list below. We will not change them often. If there are, you should check the commit history to make sure the commits are signed themselves by someone from Hathor Labs. If you are not sure, please contact us.
+
+These are the fingerprints of the keys we currently have in the repository:
+
+```
+```
+
+# Adding your GPG key to the repository
+
+If you want to sign the releases, you should add your GPG key to the repository. To do so, you should open a PR that:
+
+1. Adds your public key to the [./gpg-keys](./gpg-keys) folder.
+1. Adds your fingerprint to the list in [Our public keys](#our-public-keys).

flake.nix

@@ -0,0 +1,24 @@
+{
+  description = "virtual environments";
+
+  inputs.devshell.url = "github:numtide/devshell";
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+
+  outputs = { self, flake-utils, devshell, nixpkgs }:
+
+    flake-utils.lib.eachDefaultSystem (system: {
+      devShell =
+        let pkgs = import nixpkgs {
+          inherit system;
+
+          overlays = [ devshell.overlay ];
+        };
+        in
+        pkgs.devshell.mkShell {
+          packages = with pkgs; [
+            nixpkgs-fmt
+            nodejs-14_x
+          ];
+        };
+    });
+}