From e32ca83cbed414564dfbe6bb40b73d5e42d61c55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Wed, 16 Nov 2022 11:26:53 +0100 Subject: [PATCH] Release management documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://codeberg.org/Forgejo/forgejo/issues/4 Signed-off-by: Loïc Dachary --- RELEASE.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 RELEASE.md diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000000..1f35dd4c22 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,36 @@ +Release management documentation. + +# Release signing keys management + +A GPG master key with no expiration date is created and shared with members of the Owners team via encrypted email. A subkey with a one year expiration date is created and stored in the secrets repository, to be used by the CI pipeline. The public master key is stored in the secrets repository and published where relevant. + +## Master key creation + +* gpg --expert --full-generate-key +* key type: ECC and ECC option with Curve 25519 as curve +* no expiration +* id: Forgejo Releases +* gpg --export-secret-keys --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 and send via encrypted email to Owners +* gpg --export --armor EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 > release-team-gpg.pub +* commit to the secret repository + +## Subkey creation and renewal + +* gpg --edit-key EB114F5E6C0DC2BCDD183550A4B61A2DC5923710 +* addkey +* key type: ECC (signature only) +* key validity: one year + +### 2023 + +* gpg --export --armor F7CBF02094E7665E17ED6C44E381BF3E50D53707 > 2023-release-team-gpg.pub +* gpg --export-secret-keys --armor F7CBF02094E7665E17ED6C44E381BF3E50D53707 > 2023-release-team-gpg +* commit to the secret repository + +## CI configuration + +The `releaseteamgpg` secret in the Woodpecker CI configuration is set with the subkey. + +# Release management + +* Push a tag, the CI does the rest