diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1363301aab..09a3c3ac62 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -610,28 +610,17 @@ The preferred workflow is: b. Send an email to ``openexr-dev@lists.aswf.io`` officially annoucing the release. -9. Detach-sign the release source artifact with the GPG key +9. Update the ``release`` branch, which should always point to the + most recent patch of the most recent minor release, i.e. the most + preferred release. - a. On the releases page, download the .zip file of the release source. + From a clone of the main repo: - b. Unzip it and verify that it is identical to the source at the - release tag in your repo clone. - - c. Sign the zip file via `gpg --detach-sig <file.zip>` - - d. Upload the `.sig` file to the GitHub release page. - -10. Update the ``release`` branch, which should always point to the - most recent patch of the most recent minor release, i.e. the most - preferred release. - - From a clone of the main repo: - - % git checkout release - % git merge RB-3.1 - % git push + % git checkout release + % git merge RB-3.1 + % git push -11. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md) +10. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md) on the main branch. Cherry-pick the release notes commit from the release branch. @@ -641,14 +630,14 @@ The preferred workflow is: - Also include in this PR edits to [``docs/news.rst``](docs/news.rst) that add an announcment of the release. -12. After review/merge of the updates to ``docs/news.rst``, build the +11. After review/merge of the updates to ``docs/news.rst``, build the website at https://readthedocs.org/projects/openexr. -13. If the release has resolved any OSS-Fuzz issues, update the +12. If the release has resolved any OSS-Fuzz issues, update the associated pages at https://bugs.chromium.org/p/oss-fuzz with a reference to the release. -14. If the release has resolved any public CVE's, request an update +13. If the release has resolved any public CVE's, request an update from the registry service providing the release and a link to the release notes. diff --git a/SECURITY.md b/SECURITY.md index 0f2061d1a9..bc44564133 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -74,8 +74,9 @@ security vulnerabilities. ## Signed Releases -Releases are signed by the GPG key listed in -[openexr.keyring](openexr.keyring). +Releases artifacts are signed via +[sigstore](https://www.sigstore.dev). See +[release-sign.yml](.github/workflows/release-sign.yml) for details. ## Security Expectations diff --git a/openexr.keyring b/openexr.keyring deleted file mode 100644 index 23202c9260..0000000000 --- a/openexr.keyring +++ /dev/null @@ -1,46 +0,0 @@ -pub rsa3072 2024-02-11 [SC] - B34A8F2C14A48F38FEB395338AA6076A6174AF64 -uid [ultimate] Cary Phillips (cary-ilm) <cary@ilm.com> -sub rsa3072 2024-02-11 [E] - ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQGNBGXJCl8BDADsi1wTcmePGCEwKOfhlSAPADo740P5I38DJ2OPgvhB5+n7u6tC -VUmhaFo3pGVy+jZ+ZihRKkCd8bxONokSu6t17+ZfPdS5+Cd6+HHnYS8kTbWS1CEZ -k1UR+xWcdoW3mhYDlwR6RdJcYk9BSFI7iwATwteChEDYjxQ7A22BFEya1YFRdj1j -miFtilPPnfpOmowhtBicYc4K0fV15aOEvKnNW4mB8DSgl1bAG3Tj6jNBKSiDvbUI -ZHJbqZa5Nxskyv67hsSSLmW/jqo56Flfw7vrXve7jdZ7/s44JMIdq2MK7DXq2YZy -sr9CVAPrU21oIAqJTAnp7vVsLhSb1rYClpXAtE+K2N568VXBaO/P2UKo+cXaXJlt -XXL0oHRCONYfHPrtLGq6MleUvSf9SQCkIct4NzZ0Z4E9vYz9f3JDJZRSSGkw+MC9 -2F9euKauz+8OhCnQSpPgAsLvpdbu1QuYo/dh6fl0GquvS74mdab2XRfdG7IDkVaT -3yqtnNJ/0kULZBsAEQEAAbQnQ2FyeSBQaGlsbGlwcyAoY2FyeS1pbG0pIDxjYXJ5 -QGlsbS5jb20+iQHOBBMBCgA4FiEEs0qPLBSkjzj+s5UziqYHamF0r2QFAmXJCl8C -GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQiqYHamF0r2RS+gwAmyRu7xYp -oTSw8UDZVKDvSieP1ndcHvIrx6MLsgsRGKo1Eehg5kZhNzOezLCp6hpBHpsD9hyN -tViQc4nhXoUMV/F/lB+kWMZJQYBI4QjuVMp+ACaBRdTUTHKBEb2gYyH7cXb1ffot -/jrvoIeRcCzW/3CimTREIUO9hmMesWGc3ruirj+y2MWe9ZQrkwjch4TMu5wKbsrq -3GFtxI+6CW9Ri2kiq3tvL1ahP8mp6xn/4cKqMVt+oB2sz0pOfoqlqanMFoOZamd4 -asuYPtfQ+TYo/7u9qSwsfHEZiYycfwzrG/9WilyMSkIhSF9+Xf0kSH04mzL5IlVM -5lQJC/swZ6oTxd9vPgmq7v0nps8/Hp3fpaw3c1C5fg5edfQ4tSRcZrf4VPW/PIsl -zQHT9Alb2ENfwsg5TkhgiuBcUXtmx0WhKukTu8gt4R8r1YeiYNgGcIO0TOlBOoLF -+ORLSandNrTXMdfudLv6YQSrKSeGoKDRAQ+TLZh9J5Pl74N/KPfAMHHUuQGNBGXJ -Cl8BDADsXegefQC9ip3dhOwqAxa/x6nCERr0piO9l3kzCTWHB8QjXyL2tnNNTjIk -MTowHeCB/l8jg2oPcIArhApIosTxG4CbnLUd2nrOWs3Ln1ejBUuGO6lXtUJkIy+X -VMf5doMjJAiZQqLsOlHb3rujSH94lnOPMUV68Dn/xxK4xJyoY476SyS6gehFvsAR -2b7bvHPgpzk8GtzCdSIKavc32PY6LYb3vhp496sGQ0r7nNWfVlIc7oF8K39qMlu8 -BE78vZb8ZuwiphYXlsp4mf6pgrDyondoF7b0EI4qlqRmAbdKWnTLkBuP6NEAYL2K -EKUSMcuFryVW1GDPueFuluE1Lr95wxv5qny0PNqdMNB9qh5q/KRfKGyOMk00BSBL -sZxcq9tYMzcyW2/kvP6fSdZVbpa168NKQPvtDxkx8HJtw5CS8huSjwZC/8muYbHP -YQvuIQv9dJ2p/e4SI0jqSb2jam18nXOYFjlKUq/M8yHhI1PpfNDOspkyA59Qm6k2 -Fca5hEMAEQEAAYkBtgQYAQoAIBYhBLNKjywUpI84/rOVM4qmB2phdK9kBQJlyQpf -AhsMAAoJEIqmB2phdK9koQYMALGKrXZk17ounAI1piOVnixqg3EWZwUR5UnD5tIs -BTyah+jx9frRhaOsCpfSSC3oyt4Qcz7JNGxCTYfVMazFQQjs10vzLmAjGDjXprGb -nHq8x3LOVwDAAhmN3pGaA1q6hdSyzyCIdqlL/KABdGaza5IQlhRkjzGhaVBPNRQw -xe+2lDmfVTJz/3/3kPw3REgH1CECDK2b2Dy4o8D+NyDp6b8A2gw8nOGbSvixitQl -aZOXEjzBPOL0QFIJlwFxHU8N8xgW0xU+P48BtHUSp//sJVUpSi7F6WMN9q9+a39W -uJ5M2eb7v65z8hvtwXXJ4/mKup33VarhA0SwV0dJPj7FYxfw/DABgy/tCHHEzhXF -qGZysBhQBXCuz2OQHaKYF1hoBBZu8A7VomVC8U54WOGoyjzvEygZ+z2Nr/m7wXAZ -Ra/FZ3WAiHbHhsMkIQTM/STNgR+gcEMvHQ4FttAoF8CQNXXS+WMdeE2D8PP7xDvK -shRUqerkfoXgWyVFSPJDDJL76A== -=aEYT ------END PGP PUBLIC KEY BLOCK-----