Merge pull request #943 from meejah/3570.developers-signatures

3570.developers signatures

docs/INSTALL.rst

@@ -173,7 +173,9 @@ from PyPI with ``venv/bin/pip install tahoe-lafs``. After installation, run
 Install From a Source Tarball
 -----------------------------
 
-You can also install directly from the source tarball URL::
+You can also install directly from the source tarball URL. To verify
+signatures, first see verifying_signatures_ and replace the URL in the
+following instructions with the local filename.
 
  % virtualenv venv
  New python executable in ~/venv/bin/python2.7
@@ -189,6 +191,40 @@ You can also install directly from the source tarball URL::
  tahoe-lafs: 1.14.0
  ...
 
+.. _verifying_signatures:
+
+Verifying Signatures
+--------------------
+
+First download the source tarball and then any signatures. There are several
+developers who are able to produce signatures for a release. A release may
+have multiple signatures. All should be valid and you should confirm at least
+one of them (ideally, confirm all).
+
+This statement, signed by the existing Tahoe release-signing key, attests to
+those developers authorized to sign a Tahoe release:
+
+.. include:: developer-release-signatures
+   :code:
+
+Signatures are made available beside the release. So for example, a release
+like ``https://tahoe-lafs.org/downloads/tahoe-lafs-1.16.0.tar.bz2`` might
+have signatures ``tahoe-lafs-1.16.0.tar.bz2.meejah.asc`` and
+``tahoe-lafs-1.16.0.tar.bz2.warner.asc``.
+
+To verify the signatures using GnuPG::
+
+  % gpg --verify tahoe-lafs-1.16.0.tar.bz2.meejah.asc tahoe-lafs-1.16.0.tar.bz2
+  gpg: Signature made XXX
+  gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
+  gpg: Good signature from "meejah <meejah@meejah.ca>" [full]
+  % gpg --verify tahoe-lafs-1.16.0.tar.bz2.warner.asc tahoe-lafs-1.16.0.tar.bz2
+  gpg: Signature made XXX
+  gpg:                using RSA key 967EFE06699872411A77DF36D43B4C9C73225AAF
+  gpg: Good signature from "Brian Warner <warner@lothar.com>" [full]
+
+
+
 Extras
 ------
 

docs/developer-release-signatures

@@ -0,0 +1,42 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+
+January 20, 2021
+
+Any of the following core Tahoe contributers may sign a release. Each
+release MUST be signed by at least one developer but MAY have
+additional signatures. Each developer independently produces a
+signature which is made available beside Tahoe releases after 1.15.0
+
+This statement is signed by the existing Tahoe release key. Any future
+such statements may be signed by it OR by any two developers (for
+example, to add or remove developers from the list).
+
+meejah
+0xC2602803128069A7
+9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7
+https://meejah.ca/meejah.asc
+
+jean-paul calderone (exarkun)
+0xE27B085EDEAA4B1B
+96B9 C5DA B2EA 9EB6 7941 9DB7 E27B 085E DEAA 4B1B
+https://twistedmatrix.com/~exarkun/E27B085EDEAA4B1B.asc
+
+brian warner (lothar)
+0x863333C265497810
+5810 F125 7F8C F753 7753  895A 8633 33C2 6549 7810
+https://www.lothar.com/warner-gpg.html
+
+
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEE405i0G0Oac/KQXn/veDTHWhmanoFAmAHIyIACgkQveDTHWhm
+anqhqQf/YSbMXL+gwFhAZsjX39EVlbr/Ik7WPPkJW7v1oHybTnwFpFIc52COU1x/
+sqRfk4OyYtz9IBgOPXoWgXu9R4qdK6vYKxEsekcGT9C5l0OyDz8YWXEWgbGK5mvI
+aEub9WucD8r2uOQnnW6DtznFuEpvOjtf/+2BU767+bvLsbViW88ocbuLfCqLdOgD
+WZT9j3M+Y2Dc56DAJzP/4fkrUSVIofZStYp5u9HBjburgcYIp0g/cyc4xXRoi6Mp
+lFTRFv3MIjmoamzSQseoIgP6fi8QRqPrffPrsyqAp+06mJnPhxxFqxtO/ZErmpSa
++BGrLBxdWa8IF9U1A4Fs5nuAzAKMEg==
+=E9J+
+-----END PGP SIGNATURE-----

docs/release-checklist.rst

@@ -137,6 +137,12 @@ Did anyone contribute a hack since the last release? If so, then
 https://tahoe-lafs.org/hacktahoelafs/ needs to be updated.
 
 
+Sign Git Tag
+````````````
+
+- git tag -s -u 0xE34E62D06D0E69CFCA4179FFBDE0D31D68666A7A -m "release Tahoe-LAFS-X.Y.Z" tahoe-lafs-X.Y.Z
+
+
 Upload Artifacts
 ````````````````