Add release artifacts signing to the release process #6855

MrAlias · 2025-05-29T19:06:08Z

Resolve #6854

MrAlias · 2025-05-29T20:59:17Z

@dashpole @dmathieu @XSAM: please let me know the public URL for the key server hosting your GPG key that you sign tags and will sign releases with so I can add them here.

@pellared: please check I have added the correct key. It looks like the previous tags were not signed with this one.

codecov · 2025-05-29T20:59:42Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.3%. Comparing base (dc210e9) to head (eb4ad5b).
Report is 33 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #6855   +/-   ##
=====================================
  Coverage   82.3%   82.3%           
=====================================
  Files        263     263           
  Lines      24416   24418    +2     
=====================================
+ Hits       20095   20099    +4     
+ Misses      3939    3937    -2     
  Partials     382     382

see 9 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

CONTRIBUTING.md

pellared

@pellared: please check I have added the correct key. It looks like the previous tags were not signed with this one.

This is correct. I use it since 2025.

Co-authored-by: Damien Mathieu <[email protected]>

CONTRIBUTING.md

pellared · 2025-06-09T09:10:21Z

@dashpole, @XSAM, can you share your GPG keys?

XSAM · 2025-06-11T23:08:43Z

I have added my key (also updated the company 😉)

CONTRIBUTING.md

XSAM · 2025-06-11T23:12:30Z

CONTRIBUTING.md

- [Tyler Yahn](https://github.com/MrAlias), Splunk
+- [Robert Pająk](https://github.com/pellared), Splunk ([GPG](https://keys.openpgp.org/search?q=0xE5F7C35A4DBE90C2))
+- [Sam Xie](https://github.com/XSAM), Splunk ([GPG](https://keys.openpgp.org/search?q=AEA033782371ABB18EE39188B8044925D6FEEBEA))
+- [Tyler Yahn](https://github.com/MrAlias), Splunk ([GPG](https://pgp.mit.edu/pks/lookup?search=0x46B0F3E1A8B1BA5A))


pgp.mit.edu takes 80 seconds to return. Should we use keys.openpgp.org?

I also found it to be unusable.

I agree, see #6855 (comment)

CONTRIBUTING.md

Co-authored-by: Robert Pająk <[email protected]>

CONTRIBUTING.md

Co-authored-by: David Ashpole <[email protected]>

MrAlias added this to the v1.37.0 milestone May 29, 2025

MrAlias added the Skip Changelog PRs that do not require a CHANGELOG.md entry label May 29, 2025

Document signing release artifacts

4166eb6

MrAlias force-pushed the sign-release-docs branch from c4e334e to 4166eb6 Compare May 29, 2025 19:11

MrAlias marked this pull request as ready for review May 29, 2025 19:12

MrAlias requested review from XSAM, dashpole, pellared and dmathieu as code owners May 29, 2025 19:12

dashpole approved these changes May 29, 2025

View reviewed changes

Add known gpg public key links for maintainers

2427270

MrAlias added 2 commits May 29, 2025 14:33

Merge branch 'main' into sign-release-docs

0502eb0

Merge branch 'main' into sign-release-docs

cc30782

dmathieu reviewed Jun 2, 2025

View reviewed changes