contributor: RELEASE: instructions can be copy/pasted

They can be followed in sequential order which is more convenient and requires less brain cells. - isolate everything in containers to avoid undesirable interferences with the local GPG agent - --export-secret-keys must be --export-secret-subkeys otherwise it also exports the master key
2025-02-08 04:26:39 -05:00 · 2025-01-20 17:30:36 +01:00 · 2025-01-20 17:30:36 +01:00 · 54c1bbd3e5
commit 54c1bbd3e5
parent 5eeb0c179c
1 changed files with 47 additions and 36 deletions
--- a/docs/contributor/RELEASE.md
+++ b/docs/contributor/RELEASE.md
@ -109,25 +109,12 @@ For both the Forgejo runner and Forgejo itself, copying and signing the release
 - key type: ECC and ECC option with Curve 25519 as curve
 - no expiration
 - id: Forgejo Releases <contact@forgejo.org>
- gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 and send via encrypted email to Owners
- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team.gpg.pub
+  - gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team.gpg.pub
 - gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
- commit to the secrets repository
+- gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 | gopass cat openpgp/release-team-master.gpg

 ### Subkey creation and renewal

- gpg --expert --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
- addkey
- key type: ECC (signature only)
- elliptic curve Curve 25519
- key validity: 18 months
- update https://codeberg.org/forgejo/forgejo/issues/58 to schedule the renewal 12 months later
- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > openpgp/release-team.gpg.pub
- commit to the secrets repository
- gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
-
-#### Local sanity check
-
 From the root of the secrets directory, assuming the master key for
 EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 is already imported in the
 keyring.
@ -168,29 +155,53 @@ Here are a few notions that help understand how it works:
  some instructions on the net recommend doing so, for instance to remove
  a private key.

-```sh
-NEWKEY=????
-#
-# brand new GNUPGHOME, situation similar to the release pipeline
-#
-export GNUPGHOME=/tmp/tmpgpg1 ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
-gpg --import openpgp/$(date +%Y --date='next year')-release-team.gpg
-find $GNUPGHOME/private-keys-v1.d # only has **one** file named after the keygrip
-# sign something
-echo bar > /tmp/foo
-gpg --detach-sig --output /tmp/foo.asc --default-key $NEWKEY --sign /tmp/foo
-#
-# brand new GNUPGHOME: situation similar to someone verifying the release signature is good
-#
-export GNUPGHOME=/tmp/tmpgpg1 ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
-gpg --import release-team.gpg.pub
-gpg --verify /tmp/foo.asc /tmp/foo
-```
+#### Create

-#### 2024
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass list openpgp
+- gopass fscopy openpgp/20??-release-team.gpg 20??-release-team.gpg # for all years
+- docker run -v ${PWD}:/tmp/secrets -ti --rm data.forgejo.org/oci/debian:bookworm bash
+- apt update && apt install -y gnupg2
+- gpg --import 20\*-release-team.gpg
+- gpg --expert --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+- addkey
+- key type: ECC (signature only)
+- elliptic curve Curve 25519
+- key validity: 18 months
+- gpg --list-key --with-subkey-fingerprints # set FINGERPRINT to the fingerprint of the new subkey
+- gpg --export-secret-subkeys --armor "${FINGERPRINT}!" > $(date +%Y)-release-team.gpg
+- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > openpgp/release-team.gpg.pub
+- popd && rm -r /tmp/secrets

- `gpg --export-secret-subkeys --armor B3B1F60AC577F2A2! > openpgp/2024-release-team.gpg`
- commit to the secrets repository
+#### Sanity check
+
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass fscopy openpgp/release-team.gpg.pub release-team.gpg.pub
+- gopass fscopy openpgp/20??-release-team.gpg 20??-release-team.gpg # year of the new subkey
+- docker run -v ${PWD}:/tmp/secrets -ti --rm data.forgejo.org/oci/debian:bookworm bash
+- apt update && apt install -y gnupg2
+- cd /tmp/secrets
+- export GNUPGHOME=/tmp/signrelease ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
+- gpg --import 20??-release-team.gpg # year of the new subkey
+- find $GNUPGHOME/private-keys-v1.d # only has **one** file named after the keygrip
+- echo bar > /tmp/foo
+- gpg --detach-sig --output /tmp/foo.asc --sign /tmp/foo
+- export GNUPGHOME=/tmp/user ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
+- gpg --import release-team.gpg.pub
+- gpg --verify /tmp/foo.asc /tmp/foo
+- popd && rm -r /tmp/secrets
+
+#### Publish
+
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass fscopy openpgp/release-team.gpg.pub release-team.gpg.pub
+- gpg --import release-team.gpg.pub
+- gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+- popd && rm -r /tmp/secrets
+
+#### Reminder
+
+- Set the date of the next sub-key creation reminder https://codeberg.org/forgejo/governance/issues/216

 ## Users, organizations and repositories