Add instructions for creating signed releases/tags (#1637)

* Add instructions for creating signed releases/tags

Signed-off-by: Cary Phillips <[email protected]>

* Add openexr.keyring

Signed-off-by: Cary Phillips <[email protected]>

* Sign & upload release artifacts via sigstore

Signed-off-by: Cary Phillips <[email protected]>

* Add release-sign.yml

Signed-off-by: Cary Phillips <[email protected]>

* Use gh-action-sigstore-python

Signed-off-by: Cary Phillips <[email protected]>

---------

Signed-off-by: Cary Phillips <[email protected]>

.github/workflows/release-sign.yml

@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) Contributors to the OpenEXR Project.
+
+#
+# Releases are signed via https://github.com/sigstore/sigstore-python.
+# See https://docs.sigstore.dev for information about sigstore.
+#
+# This action creates a .tar.gz of the complete OpenEXR source tree at
+# the given release tag, signs it via sigstore, and uploads the
+# .tar.gz and the associated .tar.gz.sigstore credential bundle.
+#
+# To verify a downloaded release at a given tag:
+# 
+#   % pip install sigstore
+#   % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
+#
+
+name: Sign Release
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: write
+  id-token: write
+  repository-projects: write
+
+jobs:
+  release:
+    name: Sign & upload release artifacts
+    runs-on: ubuntu-latest
+
+    env:
+       tarball: openexr-${{ github.ref_name }}.tar.gz
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Create archive
+        run: git archive --format=tar.gz -o ${{ env.tarball }} ${{ github.ref_name }}
+
+      - name: Sign archive with Sigstore
+        uses: sigstore/[email protected]
+        with:
+          inputs: ${{ env.tarball }}
+
+      - name: Upload release archive
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}.sigstore
+

CONTRIBUTING.md

@@ -591,14 +591,26 @@ The preferred workflow is:
    d. Send an email update to ``[email protected]`` notifying
       the community of the addition and the new tag.
 
-7. Publish the release
+7. Create a signed release tag
+
+   a. Make sure you have a [GPG
+      key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
+      and it is
+      [registered](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key)
+      with your GitHub account and git config.
+
+   b. Create a signed tag with the release name via `git tag -s v3.1.9`.
+
+   c. Push the tag via `git push --tags`
+
+8. Publish the release
 
    a. Click the "Publish release" button on the GitHub release draft
 
    b. Send an email to ``[email protected]`` officially
       annoucing the release.
 
-8. Update the ``release`` branch, which should always point to the
+9. Update the ``release`` branch, which should always point to the
    most recent patch of the most recent minor release, i.e. the most
    preferred release.
 
@@ -608,24 +620,24 @@ The preferred workflow is:
        % git merge RB-3.1
        % git push
          
-9. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md)
-   on the main branch. Cherry-pick the release notes commit from
-   the release branch.
+10. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md)
+    on the main branch. Cherry-pick the release notes commit from
+    the release branch.
 
-   - If any changes have gone into [SECURITY.md](SECURITY), cherry-pick
-     the associated commit as well.
+    - If any changes have gone into [SECURITY.md](SECURITY), cherry-pick
+      the associated commit as well.
 
-   - Also include in this PR edits to [``docs/news.rst``](docs/news.rst)
-     that add an announcment of the release.
+    - Also include in this PR edits to [``docs/news.rst``](docs/news.rst)
+      that add an announcment of the release.
 
-10. After review/merge of the updates to ``docs/news.rst``, build the
+11. After review/merge of the updates to ``docs/news.rst``, build the
     website at https://readthedocs.org/projects/openexr.
 
-11. If the release has resolved any OSS-Fuzz issues, update the
+12. If the release has resolved any OSS-Fuzz issues, update the
     associated pages at https://bugs.chromium.org/p/oss-fuzz with a
     reference to the release.
 
-12. If the release has resolved any public CVE's, request an update
+13. If the release has resolved any public CVE's, request an update
     from the registry service providing the release and a link to the
     release notes.
 

SECURITY.md

@@ -72,6 +72,17 @@ security vulnerabilities.
 | 2.5.x    | :warning: Only the most critical fixes, only if they can be easily backported. |
 | <= 1.x   | :x: No longer receiving patches of any kind. |
 
+## Signed Releases
+
+Releases artifacts are signed via
+[sigstore](https://www.sigstore.dev). See
+[release-sign.yml](.github/workflows/release-sign.yml) for details.
+
+To verify a downloaded release at a given tag:
+
+    % pip install sigstore
+    % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/<tag> openexr-<tag>.tar.gz
+
 ## Security Expectations
 
 ### Software Features