Skip to content

Add release artifacts signing to the release process #6855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Jun 16, 2025
+28 −5
Merged

Add release artifacts signing to the release process #6855

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
4166eb6
Document signing release artifacts
MrAlias May 29, 2025
2427270
Add known gpg public key links for maintainers
MrAlias May 29, 2025
0502eb0
Merge branch 'main' into sign-release-docs
MrAlias May 29, 2025
cc30782
Merge branch 'main' into sign-release-docs
MrAlias May 30, 2025
c408012
Update CONTRIBUTING.md
pellared Jun 9, 2025
d99f4be
Update CONTRIBUTING.md
pellared Jun 9, 2025
1301d1a
Add Sam's GPG key
XSAM Jun 11, 2025
d146693
Update CONTRIBUTING.md
pellared Jun 12, 2025
15e4059
Update CONTRIBUTING.md
dmathieu Jun 12, 2025
eb4ad5b
Update CONTRIBUTING.md
pellared Jun 12, 2025
728460a
Merge branch 'main' into sign-release-docs
MrAlias Jun 16, 2025
19003f9
Update CONTRIBUTING.md
MrAlias Jun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -651,9 +651,9 @@ should be canceled.

- [Damien Mathieu](https://github.com/dmathieu), Elastic
- [David Ashpole](https://github.com/dashpole), Google
- [Robert Pająk](https://github.com/pellared), Splunk
- [Robert Pająk](https://github.com/pellared), Splunk ([GPG](https://pgp.mit.edu/pks/lookup?op=get&search=0xE5F7C35A4DBE90C2))
- [Sam Xie](https://github.com/XSAM), Cisco/AppDynamics
- [Tyler Yahn](https://github.com/MrAlias), Splunk
- [Tyler Yahn](https://github.com/MrAlias), Splunk ([GPG](https://pgp.mit.edu/pks/lookup?search=0x46B0F3E1A8B1BA5A))

### Emeritus

Expand Down
23 changes: 23 additions & 0 deletions RELEASING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,29 @@ It is critical you make sure the version you push upstream is correct.
Finally create a Release for the new `<new tag>` on GitHub.
The release body should include all the release notes from the Changelog for this release.

### Sign the Release Artifact

To ensure we comply with CNCF best practices, we need to sign the release artifact.
The tarball attached to the GitHub release needs to be signed with your GPG key.

Follow [these steps] to sign the release artifact and upload it to GitHub.
You can use [this script] to verify the contents of the tarball before signing it.

Be sure to use the correct GPG key when signing the release artifact.

```terminal
gpg --local-user <key-id> --armor --detach-sign opentelemetry-go-<version>.tar.gz
```

You can verify the signature with:

```terminal
gpg --verify opentelemetry-go-<version>.tar.gz.asc opentelemetry-go-<version>.tar.gz
```

[these steps]: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
[this script]: https://github.com/MrAlias/attest-sh

## Post-Release

### Contrib Repository
Expand Down
Loading