From 54c1bbd3e53bf0ebe82b2896e68c265d9a6cbc50 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Mon, 20 Jan 2025 17:30:36 +0100
Subject: [PATCH] contributor: RELEASE: instructions can be copy/pasted

They can be followed in sequential order which is more convenient and
requires less brain cells.

- isolate everything in containers to avoid undesirable interferences
  with the local GPG agent
- --export-secret-keys must be --export-secret-subkeys otherwise
  it also exports the master key
---
 docs/contributor/RELEASE.md | 83 +++++++++++++++++++++----------------
 1 file changed, 47 insertions(+), 36 deletions(-)

diff --git a/docs/contributor/RELEASE.md b/docs/contributor/RELEASE.md
index 48011e6e..cfa9cf78 100644
--- a/docs/contributor/RELEASE.md
+++ b/docs/contributor/RELEASE.md
@@ -109,25 +109,12 @@ For both the Forgejo runner and Forgejo itself, copying and signing the release
 - key type: ECC and ECC option with Curve 25519 as curve
 - no expiration
 - id: Forgejo Releases <contact@forgejo.org>
-- gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 and send via encrypted email to Owners
-- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team.gpg.pub
+  - gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team.gpg.pub
 - gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
-- commit to the secrets repository
+- gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 | gopass cat openpgp/release-team-master.gpg
 
 ### Subkey creation and renewal
 
-- gpg --expert --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
-- addkey
-- key type: ECC (signature only)
-- elliptic curve Curve 25519
-- key validity: 18 months
-- update https://codeberg.org/forgejo/forgejo/issues/58 to schedule the renewal 12 months later
-- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > openpgp/release-team.gpg.pub
-- commit to the secrets repository
-- gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
-
-#### Local sanity check
-
 From the root of the secrets directory, assuming the master key for
 EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 is already imported in the
 keyring.
@@ -168,29 +155,53 @@ Here are a few notions that help understand how it works:
   some instructions on the net recommend doing so, for instance to remove
   a private key.
 
-```sh
-NEWKEY=????
-#
-# brand new GNUPGHOME, situation similar to the release pipeline
-#
-export GNUPGHOME=/tmp/tmpgpg1 ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
-gpg --import openpgp/$(date +%Y --date='next year')-release-team.gpg
-find $GNUPGHOME/private-keys-v1.d # only has **one** file named after the keygrip
-# sign something
-echo bar > /tmp/foo
-gpg --detach-sig --output /tmp/foo.asc --default-key $NEWKEY --sign /tmp/foo
-#
-# brand new GNUPGHOME: situation similar to someone verifying the release signature is good
-#
-export GNUPGHOME=/tmp/tmpgpg1 ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
-gpg --import release-team.gpg.pub
-gpg --verify /tmp/foo.asc /tmp/foo
-```
+#### Create
 
-#### 2024
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass list openpgp
+- gopass fscopy openpgp/20??-release-team.gpg 20??-release-team.gpg # for all years
+- docker run -v ${PWD}:/tmp/secrets -ti --rm data.forgejo.org/oci/debian:bookworm bash
+- apt update && apt install -y gnupg2
+- gpg --import 20\*-release-team.gpg
+- gpg --expert --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+- addkey
+- key type: ECC (signature only)
+- elliptic curve Curve 25519
+- key validity: 18 months
+- gpg --list-key --with-subkey-fingerprints # set FINGERPRINT to the fingerprint of the new subkey
+- gpg --export-secret-subkeys --armor "${FINGERPRINT}!" > $(date +%Y)-release-team.gpg
+- gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > openpgp/release-team.gpg.pub
+- popd && rm -r /tmp/secrets
 
-- `gpg --export-secret-subkeys --armor B3B1F60AC577F2A2! > openpgp/2024-release-team.gpg`
-- commit to the secrets repository
+#### Sanity check
+
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass fscopy openpgp/release-team.gpg.pub release-team.gpg.pub
+- gopass fscopy openpgp/20??-release-team.gpg 20??-release-team.gpg # year of the new subkey
+- docker run -v ${PWD}:/tmp/secrets -ti --rm data.forgejo.org/oci/debian:bookworm bash
+- apt update && apt install -y gnupg2
+- cd /tmp/secrets
+- export GNUPGHOME=/tmp/signrelease ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
+- gpg --import 20??-release-team.gpg # year of the new subkey
+- find $GNUPGHOME/private-keys-v1.d # only has **one** file named after the keygrip
+- echo bar > /tmp/foo
+- gpg --detach-sig --output /tmp/foo.asc --sign /tmp/foo
+- export GNUPGHOME=/tmp/user ; mkdir $GNUPGHOME ; chmod 700 $GNUPGHOME
+- gpg --import release-team.gpg.pub
+- gpg --verify /tmp/foo.asc /tmp/foo
+- popd && rm -r /tmp/secrets
+
+#### Publish
+
+- mkdir /tmp/secrets && pushd /tmp/secrets
+- gopass fscopy openpgp/release-team.gpg.pub release-team.gpg.pub
+- gpg --import release-team.gpg.pub
+- gpg --keyserver keys.openpgp.org --send-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
+- popd && rm -r /tmp/secrets
+
+#### Reminder
+
+- Set the date of the next sub-key creation reminder https://codeberg.org/forgejo/governance/issues/216
 
 ## Users, organizations and repositories