Commit4bd708d

committed

docs(README): make it easier to verify gitpython tarballs

Also provide my public key with this repository, hoping that peoplecan trust it as this commit is signed with it too :).

1 parentfc4e3cc commit4bd708dCopy full SHA for 4bd708d

File tree

2 files changed

+127

-0

lines changed

2 files changed

+127

-0

lines changed

`‎README.md`

Lines changed: 53 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,59 @@ Please have a look at the [contributions file][contributing].`
`123`	`123`	incrementing the patch level, and possibly by appending`-dev`. Probably you
`124`	`124`	want to`git push` once more.
`125`	`125`
	`126`	`+###How to verify a release`
	`127`	`+`
	`128`	+Please only use releases from`pypi` as you can verify the respective source
	`129`	`+tarballs.`
	`130`	`+`
	`131`	`+This script shows how to verify the tarball was indeed created by the authors of`
	`132`	`+this project:`
	`133`	`+`
	`134`	+```
	`135`	`+curl https://pypi.python.org/packages/7e/13/2a556eb97dcf498c915e5e04bb82bf74e07bb8b7337ca2be49bfd9fb6313/GitPython-2.1.5-py2.py3-none-any.whl\#md5\=d3ecb26cb22753f4414f75f721f6f626z > gitpython.whl`
	`136`	`+curl https://pypi.python.org/packages/7e/13/2a556eb97dcf498c915e5e04bb82bf74e07bb8b7337ca2be49bfd9fb6313/GitPython-2.1.5-py2.py3-none-any.whl.asc > gitpython-signature.asc`
	`137`	`+gpg --verify gitpython-signature.asc gitpython.whl`
	`138`	+```
	`139`	`+`
	`140`	`+which outputs`
	`141`	`+`
	`142`	+```
	`143`	`+gpg: Signature made Sat Jun 10 20:22:49 2017 CEST using RSA key ID 3B07188F`
	`144`	`+gpg: Good signature from "Sebastian Thiel (In Rust I trust!) <byronimo@gmail.com>" [unknown]`
	`145`	`+gpg: WARNING: This key is not certified with a trusted signature!`
	`146`	`+gpg: There is no indication that the signature belongs to the owner.`
	`147`	`+Primary key fingerprint: 4477 ADC5 977D 7C60 D2A7 E378 9FEE 1C6A 3B07 188F`
	`148`	+```
	`149`	`+`
	`150`	`+You can verify that the keyid indeed matches the release-signature key provided in this`
	`151`	`+repository by looking at the keys details:`
	`152`	`+`
	`153`	+```
	`154`	`+gpg --list-packets ./release-verification-key.asc`
	`155`	+```
	`156`	`+`
	`157`	`+You can verify that the commit adding it was also signed by it using:`
	`158`	`+`
	`159`	+```
	`160`	`+git show --show-signature ./release-verification-key.asc`
	`161`	+```
	`162`	`+`
	`163`	`+If you would like to trust it permanently, you can import and sign it:`
	`164`	`+`
	`165`	+```
	`166`	`+gpg --import ./release-verification-key.asc`
	`167`	`+gpg --edit-key 9FEE1C6A3B07188F`
	`168`	`+> sign`
	`169`	`+> save`
	`170`	+```
	`171`	`+`
	`172`	`+Afterwards verifying the tarball will yield the following:`
	`173`	+```
	`174`	`+$ gpg --verify gitpython-signature.asc gitpython.whl`
	`175`	`+gpg: Signature made Sat Jun 10 20:22:49 2017 CEST using RSA key ID 3B07188F`
	`176`	`+gpg: Good signature from "Sebastian Thiel (In Rust I trust!) <byronimo@gmail.com>" [ultimate]`
	`177`	+```
	`178`	`+`
`126`	`179`	`###LICENSE`
`127`	`180`
`128`	`181`	`New BSD License. See the LICENSE file.`

`‎release-verification-key.asc`

Lines changed: 74 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,74 @@`
	`1`	`+-----BEGIN PGP PUBLIC KEY BLOCK-----`
	`2`	`+Comment: GPGTools - https://gpgtools.org`
	`3`	`+`
	`4`	`+mQINBFj+MasBEACak+exWFzTyjtJfz1D7WgSSJ19ZW36IfAX4/E2cxLCZ/hFUPqE`
	`5`	`++9EI0EsmysDs6m7eYk5TIIeqHlGtAQRcryTAMK7swd0ORGG0N7NJxAuc9cWomZII`
	`6`	`+I+vrQI0VcQGr1ovXROz7Zf6wuN2GLRpQm4p4CAA/bC6NRAEn9uTwmKrW/Xv+Hhro`
	`7`	`+QWznTgNsOCb4wu8BZs0UkH/9ZG67Jhf/5sqI9t6l7DcuSWy+BhGRQazgAslCY4rl`
	`8`	`+/9VL9LzsGiqXQJKIDdrQWVhCBDOknz8W0yxW/THc2HBMvh/YXG5NBDucXL6nKtUx`
	`9`	`+eLfQep8iHQy7TBSoyn5Gi0Wi7unBwSHKiBzI7Abby43j4oeYSdul7bVT+7q7sPqm`
	`10`	`+cWjZmj3WsVUDFjFRsHirjViLiqRuz7ksK5eDT9CneZM7mSomab+uofpKvRl67O9L`
	`11`	`+LmZ5YjEatWqps7mH80pLk0Y4g28AR3rDx0dyLPqMJVBKPZLIpG43bccPKjj6c+Me`
	`12`	`+onr6v5RimF5/rOqtIuw9atk4qzWQMtQIxj7keYGEZFtG8Uf7EIUbG/vra4vsBvzb`
	`13`	`+ItXAkASbLxxm5XQZXICPhgnMUcLi5sMw/KZ6AHCzE5SiO8iqEuU7p9PMriyYNYht`
	`14`	`+6C7/AOtKfJ46rPAQ6KEKtkAe5kAtvD2CAV/2PnBFirLa+4f6qMUTUnWmdwARAQAB`
	`15`	`+tDdTZWJhc3RpYW4gVGhpZWwgKEluIFJ1c3QgSSB0cnVzdCEpIDxieXJvbmltb0Bn`
	`16`	`+bWFpbC5jb20+iQI3BBMBCgAhBQJY/jGrAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B`
	`17`	`+AheAAAoJEJ/uHGo7BxiPhsAP/jkPbYyUBQO9htkUudZeuv/wAPH5utedVgPHzoP6`
	`18`	`+ySMas/Se4TahwfBIEjAQwEeCwLPAERjNIALzt1WiQZ00GrYYQKqcus42wcfydYSQ`
	`19`	`+MPXznJ2RTtMvGRXs40sQrPXJimumElLDVROsOH6WWeBYaKHPrazI2zGzDPFKyUHI`
	`20`	`+v8VKzLVMRBgMKoud/l6l4MCVVOllMDDjkVHLYCUBQnoo/N2Z1WQXqvdIacUwb5sF`
	`21`	`+A0JTjO9ihFxK3JLm8qMXSi3ssYr99I3exqQm3kbwgUE6dZmT6xpm95uPsPEP0VVM`
	`22`	`+yjMfnanmbizZ0/Juvx2G597E+XS1P9S2gBXaF++lL3+OUr3FOkdw+HkLT0uAIvyT`
	`23`	`+AjMZnIOArftB6yPnh6rD3rMpeLuWsMn3deBrsvgFZHqOmSCT22VFM1J4A1qNrVyT`
	`24`	`+uBDXQIZkGGAv280mtBGhWD1ighShuQAJncRdo7zLx4ntf38O1EIe1GXhnuIuZrZ0`
	`25`	`+7nOOCMsDBufkE2lZOLtpgsygfOLmlwvC/7TgsO6mF08o1ugADYXpsr4PojXjM5rR`
	`26`	`+MMekoWGyO953oYhtotxtyjq7iRJVPDy04XY40IdAcmy7nFwG+2YMJtqHGSYTdMa1`
	`27`	`+pJbzJ+LDQDr7vL3vcm1UHcbs6LcJjHTHyy0waZGMjMHyVBxkE1QycQySp6iItnET`
	`28`	`+5vZ3uQINBFj+MasBEACZgcOJ5QYbevmBAcuW5jpyg8gfssGACK0HGtNXVVbEfU8h`
	`29`	`+FtuzFAtJzLq8Ji8gtP0Rvb+2OmaZHoz3xcWLvBRZwLMB+IOjD9Pfh75MdRjjZCkZ`
	`30`	`+haY9WcFw0xvEModweL61fNgga2Ou7cK/sRrbs0zcEXDNyOK+1h0vTOJ6V3GaL6X9`
	`31`	`+2ewM3P8qyuaqw9De3KJd2LYF814vtBd75wFsnxESrfxaPcjhYO0mOMBsuAFXF4VF`
	`32`	`+uPYxRUqQZj4bekavS/2YDLRe0CiWk6dS2bt9GckUxIQlY+pPAQ/x5XhfOtJH3xk/`
	`33`	`+SwP05oxy+KX20NXNhkEv/+RiziiRJM1OaDFnP2ajSMzeP/qYpdoeeLyazdlXbhSL`
	`34`	`+X8kvNtYmuBi7XiE/nCBrXVExt+FCtsymsQVrcGCWOs8YF10UGwTwkzUHcVU0fFeP`
	`35`	`+15cDXxHgZ2SO6nxxbKTYPwBIklgu0CbTqWYFhKKdeZgzPE4tBZXW8brc/Ld5F0WX`
	`36`	`+2kwjXohm1I9p+EtJIWRMBTLs+o1d1qpEO0ENVbc+np+yOaYyqlPOT+9uZTs3+ozD`
	`37`	`+0JCoxNnG3Fj3x1+3BWJr/sUwhLy4xtdzV7MwOCNkPbsQGsjOXeunFOXa+5GgDxTw`
	`38`	`+NXBKZp2N4CP5tfi2xRLmsfkre693GFDb0TB+ha7mGeU3AkSYT0BIRkB5miMEVQAR`
	`39`	`+AQABiQIfBBgBCgAJBQJY/jGrAhsgAAoJEJ/uHGo7BxiP8goP/2dh4RopBYTJotDi`
	`40`	`+b0GXy2HsUmYkQmFI/rItq1NMUnTvvgZDB1wiA0zHDfDOaaz6LaVFw7OGhUN94orH`
	`41`	`+aiJhXcToKyTf93p5H9pDCBRqkIxXIXb2aM09zW7ZgQLjplMa4eUX+o8uhhFQXCSw`
	`42`	`+oFjXwRRtiqKkeYvQZGJ0vgb8UfPq6qlMck9w4cB6NwBjAXzo/EkAF3r+GGayA7+S`
	`43`	`+0QD18/Y2DMBdNPIj8x+OE9kPiYmKNe9CMd2AQshH1g1fWKkyKugbxU9GXx+nh9RG`
	`44`	`+K9IFD6hC03E9jl7nb0l9I57041WKnsWtADb67xq+BIUY05l5vwdjviXKBqAIm0q3`
	`45`	`+/mqRwbxjH4jx26dXQbm40lVAR7rpITtMxIPV9pj0l1n/pIfyy/4I+JeAm6c1VNcN`
	`46`	`+bE06PCvvQKa9z3Y9HZEIvzKqFSWGsFVgMg5vqauYI/tmL/BSz49wFB65YBB1PsZm`
	`47`	`+sossuQAdzs9tpSHyIz3/I9X9yVenzZgV8mtnWt2EpLJEfYx86TIDM/rPFr9vy+F9`
	`48`	`+p6ov/scHHMKGYNabGtdsH0eBEgtCC7qMybkysIGBKFEAACARbdOGq4r0Uxg4K0Cx`
	`49`	`+JOsUV4Pw6I3vAgL8PagKTt5nICd5ySgExjJWiBV8IegBgd/ed1B1l6iNdU4Xa4Hb`
	`50`	`+TxEjUJgHKGkQtIvjpbbJ7w9e9PeAuQINBFj+MasBEACaSKGJzmsd3AxbGiaTEeY8`
	`51`	`+m1A9OKPGXHhT+EdYANIOL6RnfuzrXoy5w08ExbfYWYFTYLLHLJIVQwZJpqloK9NV`
	`52`	`+4Emn0PCgPB1QwjQN3PnaMpy8r57+m6HlgbSqWEpJcZURBSQ3CiQLfzC96nzTFGqc`
	`53`	`+NZU+KwUAwS5XFl0QeblKtA54IwI0+tH9B95WPzz0BOS2x6hXIdjB/rSQLY9ISDix`
	`54`	`+kiRHDsrU6lb339iVuSjW39J1mVxIAvvB+cswOLgTsp8cxuii2Yx9NFPllemABy6K`
	`55`	`+mRFqwd2peJGOmjJWEOhDAkadvAhT0B526e3JPXX0+yTXsKH/IR2C//kQarRiUCFv`
	`56`	`+w/N/Wi8Z/1I1Ae+mPSJHfBMQXFPxti7hYD22h27yiFZP7XMPgafXDauKb9qIg132`
	`57`	`+sEB6GkEjFM58JlJugna4evR2gp/pPwarYPcotkB5vAuWbYv1UM7gYMepER4LkL3r`
	`58`	`+uaWRMxP9lL1YvSnHRTbIRl6BCNdsQ/BOmuM9J16MhwhdaAUNZ4+69pTcq7nI7ZwH`
	`59`	`+ghnSM2Vc3z93vo+rEP6nW1pwk9U4qBz2y4hCfPmV2aAJhN8f9z+CP0BJufn1EGIY`
	`60`	`+VU1jS4pn/12GwXykdKs2g396QjuQsGzAq9QpbAciv8M9sg2KYIh2DNWqo6DTTh+e`
	`61`	`+HSWeGVYAuhexlBmMSb/hqwARAQABiQIfBBgBCgAJBQJY/jGrAhsMAAoJEJ/uHGo7`
	`62`	`+BxiP0SMP/R85QTEgJz+RN4rplWbjZAUKMfN2QWqYCD5k20vBooVnTDkY4IM5wQ+q`
	`63`	`+YP+1t/D1eLGTZ1uX9eZshIWXXakTJYla+niT8aP4SllNNwfeyZcCn1SwRAZ0ycjj`
	`64`	`+xN24rhV0aMWvtTrvo1kph9ac275ktNXVlFlrPsFokpK9Ds14Uzk7m2mqEBEH/TlO`
	`65`	`+Y4nBegRs6SmdBWOwKDWAINh+yzvFkTLr5r10D7aUukYuPZAiwnya0kLLXnoPmcys`
	`66`	`+LNxFuys78dS8EDC4WFWNVMdzvcUl3LArnfwYT7KqoR/j/MTps3fEq4tqhTxxVuV9`
	`67`	`+W53sF4pRqj8JTTZxKXz+50iRpT48VLBcCCsXU208giiFZCKgJgHtaxwNK6eezf7b`
	`68`	`+JaYfyg2ENmyp/tYsyZcCTv5Ku61sP3zu3lPHD4PNyTVpE60N/AAZaF0wRNmIVMoj`
	`69`	`+HaXTXPiBJHhmfI/AgtJ25HibifFLal/16bOQ58n/vgkdMomGfb7XZWEyO/zxEfhZ`
	`70`	`+OrUp1xSVgGdCflCEa95pWA6GSDxCsTSxkMUCYkaLPhE+JBFUq35ge4wsd1yS+YqA`
	`71`	`+2hI42+X8+WGxrobK2g2ZElEi92yqVuyUokA3aDbZDy9On3Hd9G7Bjxm7GKJ6vRTv`
	`72`	`+Mqb/lQkte2hBEShNrGSVAGNCkMv+jFlhVSB3OnVJcLQ2JVBW9Uyv`
	`73`	`+=H2BO`
	`74`	`+-----END PGP PUBLIC KEY BLOCK-----`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit4bd708d

File tree

2 files changed

2 files changed

`‎README.md`

`‎release-verification-key.asc`

0 commit comments