Attestation Service Release Process
Details of the release process for updating the attestation service on the Celo platform.
This release process is currently in use.
Versioning
Releases of Attestation Service are made as needed. Releases are numbered according to semantic versioning, as described at semver.org.
Development builds should be identified with -dev, and only one commit should exist with a released version x.y.z for any (x, y, z).
Documentation
Documentation is maintained in the celo-org/docs repo and is hosted on docs.celo.org.
Identifying releases
Git branches
Development is done on the master branch, which corresponds to the next major or minor version. Changes to be included in a patch release of an existing minor version are cherry-picked to that existing release branch.
Git tags
Each release should be created on Github and tagged with the version number, e.g. attestation-service-vX.Y.Z. Each release should include a summary of the release contents, including links to pull requests and issues with detailed description of any notable changes.
Tags should be signed and can be verified with the following command.
git verify-tag attestation-service-vX.Y.Z
On Github, each release tag should have attached signatures that can be used to verify the Docker images.
Docker tags
Each Docker image is tagged with attestation-service-<commithash>. Just as a Git tag immutably points to a commit hash, the Docker tag should immutably point to an image hash.
In addition, each Docker image corresponding to a released version should be tagged with attestation-service-vX.Y.Z.
The latest image qualified for deployment to various networks are also tagged as follows:
- Alfajores:
attestation-service-alfajores - Baklava:
attestation-service-baklava - Mainnet:
attestation-service-mainnet
Signatures
Artifacts produced by this build process (e.g. tags, Docker images) will be signed by a core developer key.
Public keys for core developers are hosted on celo.org and can be imported to gpg with the following command:
gpg --auto-key-locate wkd --locate-keys $EMAIL
Currently hosted core developer keys used for Attestation Service releases include:
Build process
Docker images
Docker images are built automatically with Google Cloud Build upon pushes to master and all release branches. Automated builds will be tagged in Google Artifact Registry with the corresponding commit hash.
A signature should be produced over the image automatically built at the corresponding commit hash and included with the Github release.
Release image signatures can be verified with the following command:
docker save $(docker image inspect us.gcr.io/celo-testnet/celo-monorepo:attestation-service-vX.Y.Z -f '{{ .Id }}') | gpg --verify attestation-service-vX.Y.Z.docker.asc -
Testing
As well as monorepo CI tests, all releases are expected to go through manual testing as needed to verify security properties, accuracy of documentation, and compatibility with deployed and anticipated versions of celocli and wallets including Valora. Releases currently involve coordinating with Valora to run the verification e2e tests in CI.
Promotion process
Source control
Patch releases should be constructed by cherry-picking all included commits from master to the release/attestation-service/x.y branch, if necessary created from the attestation-service-vX.Y.Z tag of the most recent major or minor release. The first commit of this process should change the version number encoded in the source from x.y.z to x.y.z+1-dev and the final commit should change the version number to x.y.z+1.
Major and minor releases should be constructed by pushing a commit to the master branch to change the encoded version number from x.y.z-dev to x.y.z. A attestation-service-vX.Y.Z tag should be created at this commit which uniquely references one commit; release notes should be published alongside this. The next commit should change the version number from x.y.z to x.y+1.0-dev, or x+1.0.0-dev if the next planned release is a major release.
Distribution
Distribution of an image follows this schedule:
| Date | Action |
| T-1w |
|
| T |
|
| T+1w onwards |
|
Emergency Patches
Bugs which affect the security, stability, or core functionality of the Celo identity protocol or prevent new users onboarding to wallets including Valora may need to be released outside the standard release cycle. In this case, an emergency patch release should be created on top of all supported minor releases which contains the minimal change and corresponding test for the fix.
If the issue is not exploitable, release notes should describe the issue in detail and the image should be distributed publicly.
If the issue is exploitable and mitigations are not readily available, a patch should be prepared privately and signed binaries should be distributed from private commits. Establishing trust is key to pushing out the fix. An audit from a reputable third party may be contracted to verify the release to help earn that trust.
Vulnerability Disclosure
Vulnerabilities in Attestation Service releases should be disclosed according to the security policy.