From b0cb50b8973be87b0af3ba553f8cfb530c2b8b90 Mon Sep 17 00:00:00 2001 From: meejah Date: Sun, 20 Dec 2020 19:09:34 -0700 Subject: [PATCH 01/15] write verification instructions, and developer statement --- docs/INSTALL.rst | 37 ++++++++++++++++++++++++++++++- docs/developer-release-signatures | 25 +++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 docs/developer-release-signatures diff --git a/docs/INSTALL.rst b/docs/INSTALL.rst index 3a724b790..568869407 100644 --- a/docs/INSTALL.rst +++ b/docs/INSTALL.rst @@ -173,7 +173,9 @@ from PyPI with ``venv/bin/pip install tahoe-lafs``. After installation, run Install From a Source Tarball ----------------------------- -You can also install directly from the source tarball URL:: +You can also install directly from the source tarball URL. To verify +signatures, first see verifying_signatures_ and replace the URL in the +following instructions with the local filename. % virtualenv venv New python executable in ~/venv/bin/python2.7 @@ -189,6 +191,39 @@ You can also install directly from the source tarball URL:: tahoe-lafs: 1.14.0 ... +.. _verifying_signatures: + +Verifying Signatures +-------------------- + +First download the source tarball and then any signatures. There are several +developers who are expected to produce signatures for a release. *At least +two signatures should be verified*. + +This statement, signed by the existing Tahoe release-signing key, attests to +those developers authorized to sign a Tahoe release: + +.. include:: developer-release-signatures + :code: + +Signatures are made available beside the release. So for example, a release +like ``https://tahoe-lafs.org/downloads/tahoe-lafs-1.16.0.tar.bz2`` might +have signatures ``tahoe-lafs-1.16.0.tar.bz2.meejah.asc`` and +``tahoe-lafs-1.16.0.tar.bz2.warner.asc``. + +To verify the signatures using GnuPG:: + + % gpg --verify tahoe-lafs-1.16.0.tar.bz2.meejah.asc tahoe-lafs-1.16.0.tar.bz2 + gpg: Signature made XXX + gpg: using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7 + gpg: Good signature from "meejah " [full] + % gpg --verify tahoe-lafs-1.16.0.tar.bz2.warner.asc tahoe-lafs-1.16.0.tar.bz2 + gpg: Signature made XXX + gpg: using RSA key 967EFE06699872411A77DF36D43B4C9C73225AAF + gpg: Good signature from "Brian Warner " [full] + + + Extras ------ diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures new file mode 100644 index 000000000..d79d01fab --- /dev/null +++ b/docs/developer-release-signatures @@ -0,0 +1,25 @@ +TODO: clear-sign this with the release key + + +Any two of the following core Tahoe contributers may sign a +release. They each independantly produce a signature which are made +available beside Tahoe releases after 1.15.0 + +This statement is signed by the previous Tahoe release key. Any future +such statements may be signed by it OR by any two developers (for +example, to add or remove developers from the list). + +meejah +0xC2602803128069A7 +9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7 +https://meejah.ca/meejah.asc + +jean-paul calderone +0x?? +fingerprint +[url for key] + +brian warner +0xD43B4C9C73225AAF +967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF +http://www.lothar.com/warner-gpg.html \ No newline at end of file From 56337c442103e9b76c9ee7351cfa7260b850cf70 Mon Sep 17 00:00:00 2001 From: meejah Date: Sun, 20 Dec 2020 20:29:00 -0700 Subject: [PATCH 02/15] better words --- docs/INSTALL.rst | 4 ++-- docs/developer-release-signatures | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/INSTALL.rst b/docs/INSTALL.rst index 568869407..9c67e0ffe 100644 --- a/docs/INSTALL.rst +++ b/docs/INSTALL.rst @@ -197,8 +197,8 @@ Verifying Signatures -------------------- First download the source tarball and then any signatures. There are several -developers who are expected to produce signatures for a release. *At least -two signatures should be verified*. +developers who are able to produce signatures for a release. *At least two +signatures should be found and verified*. This statement, signed by the existing Tahoe release-signing key, attests to those developers authorized to sign a Tahoe release: diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index d79d01fab..0d916cf6f 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -1,9 +1,12 @@ TODO: clear-sign this with the release key +TODO: update jean-paul's information +January 3, 2021 -Any two of the following core Tahoe contributers may sign a -release. They each independantly produce a signature which are made -available beside Tahoe releases after 1.15.0 +Any of the following core Tahoe contributers may sign a release. Each +release should be signed by at least two developers. They each +independantly produce a signature which are made available beside +Tahoe releases after 1.15.0 This statement is signed by the previous Tahoe release key. Any future such statements may be signed by it OR by any two developers (for @@ -22,4 +25,4 @@ fingerprint brian warner 0xD43B4C9C73225AAF 967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF -http://www.lothar.com/warner-gpg.html \ No newline at end of file +http://www.lothar.com/warner-gpg.html From 848fac815b93c57002495b1e9566168db2615364 Mon Sep 17 00:00:00 2001 From: meejah Date: Mon, 4 Jan 2021 14:06:20 -0700 Subject: [PATCH 03/15] spelling --- docs/developer-release-signatures | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 0d916cf6f..9f00662f4 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -5,7 +5,7 @@ January 3, 2021 Any of the following core Tahoe contributers may sign a release. Each release should be signed by at least two developers. They each -independantly produce a signature which are made available beside +independently produce a signature which are made available beside Tahoe releases after 1.15.0 This statement is signed by the previous Tahoe release key. Any future From a858d4a7cb9a128cb26f6d692c62e9b7627d5bac Mon Sep 17 00:00:00 2001 From: meejah Date: Mon, 4 Jan 2021 14:15:33 -0700 Subject: [PATCH 04/15] update exarkun's information --- docs/developer-release-signatures | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 9f00662f4..b2752e8ca 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -17,9 +17,9 @@ meejah 9D5A 2BD5 688E CB88 9DEB CD3F C260 2803 1280 69A7 https://meejah.ca/meejah.asc -jean-paul calderone -0x?? -fingerprint +jean-paul calderone (exarkun) +0xE27B085EDEAA4B1B +96B9 C5DA B2EA 9EB6 7941 9DB7 E27B 085E DEAA 4B1B [url for key] brian warner From 2a3d01a9cc077af2ffd965978b009544cb899ded Mon Sep 17 00:00:00 2001 From: meejah Date: Mon, 4 Jan 2021 14:22:09 -0700 Subject: [PATCH 05/15] url for exarkun's key --- docs/developer-release-signatures | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index b2752e8ca..ba2a88dc9 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -20,7 +20,7 @@ https://meejah.ca/meejah.asc jean-paul calderone (exarkun) 0xE27B085EDEAA4B1B 96B9 C5DA B2EA 9EB6 7941 9DB7 E27B 085E DEAA 4B1B -[url for key] +http://pgp.mit.edu/pks/lookup?op=get&search=0xE27B085EDEAA4B1B brian warner 0xD43B4C9C73225AAF From 52c2e292d876606dd00191177080dc552d16d554 Mon Sep 17 00:00:00 2001 From: meejah Date: Mon, 4 Jan 2021 14:31:24 -0700 Subject: [PATCH 06/15] news --- newsfragments/3580.minor | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 newsfragments/3580.minor diff --git a/newsfragments/3580.minor b/newsfragments/3580.minor new file mode 100644 index 000000000..e69de29bb From ed9bc93571e44310dad6f9992012f0af0ac13524 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 5 Jan 2021 09:28:42 -0700 Subject: [PATCH 07/15] redundant newsfragment --- newsfragments/2920.minor | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 newsfragments/2920.minor diff --git a/newsfragments/2920.minor b/newsfragments/2920.minor deleted file mode 100644 index e69de29bb..000000000 From 91de725d93a8810c98679e3cb8647f615064b9c8 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 5 Jan 2021 09:29:10 -0700 Subject: [PATCH 08/15] better url for exarkun's key --- docs/developer-release-signatures | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index ba2a88dc9..5e93e4425 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -20,7 +20,7 @@ https://meejah.ca/meejah.asc jean-paul calderone (exarkun) 0xE27B085EDEAA4B1B 96B9 C5DA B2EA 9EB6 7941 9DB7 E27B 085E DEAA 4B1B -http://pgp.mit.edu/pks/lookup?op=get&search=0xE27B085EDEAA4B1B +https://twistedmatrix.com/~exarkun/E27B085EDEAA4B1B.asc brian warner 0xD43B4C9C73225AAF From a031e6a4b34c986258985410672706101f029d3d Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 5 Jan 2021 09:33:31 -0700 Subject: [PATCH 09/15] more realistic date, better info --- docs/developer-release-signatures | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 5e93e4425..6dd7303fb 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -1,7 +1,5 @@ -TODO: clear-sign this with the release key -TODO: update jean-paul's information -January 3, 2021 +January 8, 2021 Any of the following core Tahoe contributers may sign a release. Each release should be signed by at least two developers. They each From 9957790bb8b163e8e804d399068035c52c7a390a Mon Sep 17 00:00:00 2001 From: meejah Date: Sun, 20 Dec 2020 19:09:34 -0700 Subject: [PATCH 10/15] write verification instructions, and developer statement --- docs/INSTALL.rst | 5 +++-- docs/developer-release-signatures | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/INSTALL.rst b/docs/INSTALL.rst index 9c67e0ffe..59d0eb5ea 100644 --- a/docs/INSTALL.rst +++ b/docs/INSTALL.rst @@ -197,8 +197,9 @@ Verifying Signatures -------------------- First download the source tarball and then any signatures. There are several -developers who are able to produce signatures for a release. *At least two -signatures should be found and verified*. +developers who are expected to produce signatures for a release. Thus, a +release may have more than one signature. All signatures should be valid and +you should confirm at least one signature. This statement, signed by the existing Tahoe release-signing key, attests to those developers authorized to sign a Tahoe release: diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 6dd7303fb..2c9460738 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -23,4 +23,4 @@ https://twistedmatrix.com/~exarkun/E27B085EDEAA4B1B.asc brian warner 0xD43B4C9C73225AAF 967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF -http://www.lothar.com/warner-gpg.html +https://www.lothar.com/warner-gpg.html From 3995c932ef7967a2131c6bc24af28cefef096ad5 Mon Sep 17 00:00:00 2001 From: meejah Date: Sun, 20 Dec 2020 20:29:00 -0700 Subject: [PATCH 11/15] better words --- docs/INSTALL.rst | 6 +++--- newsfragments/2920.minor | 0 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 newsfragments/2920.minor diff --git a/docs/INSTALL.rst b/docs/INSTALL.rst index 59d0eb5ea..e47d87bd6 100644 --- a/docs/INSTALL.rst +++ b/docs/INSTALL.rst @@ -197,9 +197,9 @@ Verifying Signatures -------------------- First download the source tarball and then any signatures. There are several -developers who are expected to produce signatures for a release. Thus, a -release may have more than one signature. All signatures should be valid and -you should confirm at least one signature. +developers who are able to produce signatures for a release. A release may +have multiple signatures. All should be valid and you should confirm at least +one of them (ideally, confirm all). This statement, signed by the existing Tahoe release-signing key, attests to those developers authorized to sign a Tahoe release: diff --git a/newsfragments/2920.minor b/newsfragments/2920.minor new file mode 100644 index 000000000..e69de29bb From 8c1c682fdd6747d308f0663ab9be3b7b6cdd2be2 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 5 Jan 2021 09:28:42 -0700 Subject: [PATCH 12/15] redundant newsfragment --- newsfragments/2920.minor | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 newsfragments/2920.minor diff --git a/newsfragments/2920.minor b/newsfragments/2920.minor deleted file mode 100644 index e69de29bb..000000000 From 8aaf0ee36224b9fb35d800099c0b755c37278c99 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 19 Jan 2021 10:23:27 -0700 Subject: [PATCH 13/15] tweak statement --- docs/developer-release-signatures | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 2c9460738..8092fb436 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -1,12 +1,12 @@ -January 8, 2021 +January 20, 2021 Any of the following core Tahoe contributers may sign a release. Each -release should be signed by at least two developers. They each -independently produce a signature which are made available beside -Tahoe releases after 1.15.0 +release MUST be signed by at least one developer but MAY have +additional signatures. Each developer independently produces a +signature which is made available beside Tahoe releases after 1.15.0 -This statement is signed by the previous Tahoe release key. Any future +This statement is signed by the existing Tahoe release key. Any future such statements may be signed by it OR by any two developers (for example, to add or remove developers from the list). @@ -20,7 +20,7 @@ jean-paul calderone (exarkun) 96B9 C5DA B2EA 9EB6 7941 9DB7 E27B 085E DEAA 4B1B https://twistedmatrix.com/~exarkun/E27B085EDEAA4B1B.asc -brian warner -0xD43B4C9C73225AAF -967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF +brian warner (lothar) +0x863333C265497810 +5810 F125 7F8C F753 7753 895A 8633 33C2 6549 7810 https://www.lothar.com/warner-gpg.html From 407014ec5b51da4e883457bdbae59145be53e1d5 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 19 Jan 2021 11:22:18 -0700 Subject: [PATCH 14/15] actually sign statement --- docs/developer-release-signatures | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/developer-release-signatures b/docs/developer-release-signatures index 8092fb436..1b55641d9 100644 --- a/docs/developer-release-signatures +++ b/docs/developer-release-signatures @@ -1,3 +1,6 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + January 20, 2021 @@ -24,3 +27,16 @@ brian warner (lothar) 0x863333C265497810 5810 F125 7F8C F753 7753 895A 8633 33C2 6549 7810 https://www.lothar.com/warner-gpg.html + + +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEE405i0G0Oac/KQXn/veDTHWhmanoFAmAHIyIACgkQveDTHWhm +anqhqQf/YSbMXL+gwFhAZsjX39EVlbr/Ik7WPPkJW7v1oHybTnwFpFIc52COU1x/ +sqRfk4OyYtz9IBgOPXoWgXu9R4qdK6vYKxEsekcGT9C5l0OyDz8YWXEWgbGK5mvI +aEub9WucD8r2uOQnnW6DtznFuEpvOjtf/+2BU767+bvLsbViW88ocbuLfCqLdOgD +WZT9j3M+Y2Dc56DAJzP/4fkrUSVIofZStYp5u9HBjburgcYIp0g/cyc4xXRoi6Mp +lFTRFv3MIjmoamzSQseoIgP6fi8QRqPrffPrsyqAp+06mJnPhxxFqxtO/ZErmpSa ++BGrLBxdWa8IF9U1A4Fs5nuAzAKMEg== +=E9J+ +-----END PGP SIGNATURE----- From 781deefcde2a45492c056fa0103ca4306ce5aa46 Mon Sep 17 00:00:00 2001 From: meejah Date: Tue, 19 Jan 2021 11:32:53 -0700 Subject: [PATCH 15/15] command-line to sign a tag with official key --- docs/release-checklist.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release-checklist.rst b/docs/release-checklist.rst index 18c908a99..fedefee51 100644 --- a/docs/release-checklist.rst +++ b/docs/release-checklist.rst @@ -118,6 +118,12 @@ Did anyone contribute a hack since the last release? If so, then https://tahoe-lafs.org/hacktahoelafs/ needs to be updated. +Sign Git Tag +```````````` + +- git tag -s -u 0xE34E62D06D0E69CFCA4179FFBDE0D31D68666A7A -m "release Tahoe-LAFS-X.Y.Z" tahoe-lafs-X.Y.Z + + Upload Artifacts ````````````````