From 9896118baf953d0886a7bff028486817bdcbba1d Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 21:57:04 -0800
Subject: [PATCH 1/9] build: annotated/signed tags need a tweak to verify
 correctly

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index cd20f0c0..6567fce4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -242,7 +242,7 @@ packages:
 	$(MAKE) sign
 	$(MAKE) verify
 	$(MAKE) html
-	@if [[ "$$(git rev-parse HEAD)" != "$$(git rev-parse v$(VERSION))" ]] ; then printf "\n\n\tv$(VERSION) tag missing, or not checked out...\n\n\n" && false ; fi
+	@if [[ "$$(git rev-parse HEAD)" != "$$(git rev-parse v$(VERSION)^{commit})" ]] ; then printf "\n\n\tv$(VERSION) tag missing, or not checked out...\n\n\n" && false ; fi
 	@printf "\n\n\tDont forget to push the v$(VERSION) tag and this branch to origin (git push origin v$(VERSION) master)\n\n\n"
 
 

From 44b414834e33ec5f33a7e4fe5fc50fb487ec3bf9 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 21:58:12 -0800
Subject: [PATCH 2/9] build: need awk for newer autoconf

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Docker.autogen | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Docker.autogen b/Docker.autogen
index 44ece764..f893c00c 100644
--- a/Docker.autogen
+++ b/Docker.autogen
@@ -5,6 +5,7 @@ RUN apt-get update && \
 		automake \
 		gettext \
 		libtool \
+		gawk \
 		pkg-config
 VOLUME /workdir
 ENTRYPOINT cd /workdir && /bin/sh autogen.sh && ./configure -C && make distclean

From 55d371341d04952a8e719228b7c2ed05960fc8eb Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:00:41 -0800
Subject: [PATCH 3/9] build: verify tag earlier

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 6567fce4..11b141b6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -233,6 +233,7 @@ html:
 
 packages:
 	@if [[ "$$(git diff | wc -l)" != "0" ]] ; then printf "\n\n\tYou have local changes in the working copy...\n\n\n" && git diff && false ; fi
+	@if [[ "$$(git rev-parse HEAD)" != "$$(git rev-parse v$(VERSION)^{commit})" ]] ; then printf "\n\n\tv$(VERSION) tag missing, or not checked out...\n\n\n" && false ; fi
 	$(MAKE) dist-gzip
 	rm -rf radvd-$(VERSION)
 	tar zfx radvd-$(VERSION).tar.gz
@@ -242,7 +243,6 @@ packages:
 	$(MAKE) sign
 	$(MAKE) verify
 	$(MAKE) html
-	@if [[ "$$(git rev-parse HEAD)" != "$$(git rev-parse v$(VERSION)^{commit})" ]] ; then printf "\n\n\tv$(VERSION) tag missing, or not checked out...\n\n\n" && false ; fi
 	@printf "\n\n\tDont forget to push the v$(VERSION) tag and this branch to origin (git push origin v$(VERSION) master)\n\n\n"
 
 

From b6029fe5f50ebe49a56627d66910e1039f92bc22 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:04:52 -0800
Subject: [PATCH 4/9] build: drop sha1, insecure

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 11b141b6..66c87a33 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -194,7 +194,7 @@ EXTRA_DIST = \
 	.travis.yml
 
 EXTENSIONS = gz bz2 lz lzma xz tarZ shar zip
-HASHES = sha1 sha256 sha512
+HASHES = sha256 sha512
 
 sign:
 	$(AM_V_GEN)for e in $(EXTENSIONS); do \

From d234b5d0b025aa7ed5f69c6b5ee3e011e0dcac86 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:06:45 -0800
Subject: [PATCH 5/9] build: use BSD-style checksum tags

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 66c87a33..11d2d539 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -200,7 +200,7 @@ sign:
 	$(AM_V_GEN)for e in $(EXTENSIONS); do \
 		if [ -f radvd-$(VERSION).tar.$$e ]; then \
 			for h in $(HASHES); do \
-				$${h}sum radvd-$(VERSION).tar.$$e > radvd-$(VERSION).tar.$$e.$$h; \
+				$${h}sum --tag radvd-$(VERSION).tar.$$e > radvd-$(VERSION).tar.$$e.$$h; \
 			done; \
 			gpg -sba radvd-$(VERSION).tar.$$e; \
 		fi; \
@@ -210,7 +210,7 @@ verify:
 	$(AM_V_GEN)for e in $(EXTENSIONS); do \
 		if [ -f radvd-$(VERSION).tar.$$e ]; then \
 			for h in $(HASHES); do \
-				$${h}sum -c radvd-$(VERSION).tar.$$e.$$h; \
+				$${h}sum --tag -c radvd-$(VERSION).tar.$$e.$$h; \
 			done; \
 			gpg --verify radvd-$(VERSION).tar.$$e.asc; \
 		fi; \

From 2ae42d753bc11296490143fbaa8775f12083fe5e Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:23:48 -0800
Subject: [PATCH 6/9] build: make sign & verify tighter

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 11d2d539..e912faf1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -196,23 +196,39 @@ EXTRA_DIST = \
 EXTENSIONS = gz bz2 lz lzma xz tarZ shar zip
 HASHES = sha256 sha512
 
+# Generate clearsigned checksum files.
+# Generate detached signatures of the tarballs.
 sign:
 	$(AM_V_GEN)for e in $(EXTENSIONS); do \
 		if [ -f radvd-$(VERSION).tar.$$e ]; then \
+			gpg --armor --sign --detach-sign radvd-$(VERSION).tar.$$e; \
 			for h in $(HASHES); do \
-				$${h}sum --tag radvd-$(VERSION).tar.$$e > radvd-$(VERSION).tar.$$e.$$h; \
+				$${h}sum --tag radvd-$(VERSION).tar.$$e > radvd-$(VERSION).tar.$$e.$$h || exit 1; \
+				gpg --clear-sign radvd-$(VERSION).tar.$$e.$$h || exit 1; \
+				mv -f radvd-$(VERSION).tar.$$e.$$h.asc radvd-$(VERSION).tar.$$e.$$h || exit 1; \
 			done; \
-			gpg -sba radvd-$(VERSION).tar.$$e; \
 		fi; \
 	done
 
+# Verify clearsigned checksum files.
+# Verify detached signatures of the tarballs.
+#
+# Be careful to verify the clearsign, take ONLY the signed part, and then
+# verify the checksum contained in that (ignore checksums OUTSIDE the
+# clearsigned part).
 verify:
 	$(AM_V_GEN)for e in $(EXTENSIONS); do \
 		if [ -f radvd-$(VERSION).tar.$$e ]; then \
+			gpg --verify radvd-$(VERSION).tar.$$e.asc; \
 			for h in $(HASHES); do \
-				$${h}sum --tag -c radvd-$(VERSION).tar.$$e.$$h; \
+				rm -f radvd-$(VERSION).tar.$$e.$$h.verified || exit 1; \
+				gpg --output radvd-$(VERSION).tar.$$e.$$h.verified --verify radvd-$(VERSION).tar.$$e.$$h || exit 1; \
+				if ! $${h}sum -c radvd-$(VERSION).tar.$$e.$$h.verified ; then \
+					rm -f radvd-$(VERSION).tar.$$e.$$h.verified; \
+					exit 1; \
+				fi; \
+				rm -f radvd-$(VERSION).tar.$$e.$$h.verified; \
 			done; \
-			gpg --verify radvd-$(VERSION).tar.$$e.asc; \
 		fi; \
 	done
 

From cfb191e7b0abea6ec8fd64b98c17df9f6bc0ee4f Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:33:48 -0800
Subject: [PATCH 7/9] build: cleanup old tarballs first

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile.am b/Makefile.am
index e912faf1..39265217 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -250,6 +250,7 @@ html:
 packages:
 	@if [[ "$$(git diff | wc -l)" != "0" ]] ; then printf "\n\n\tYou have local changes in the working copy...\n\n\n" && git diff && false ; fi
 	@if [[ "$$(git rev-parse HEAD)" != "$$(git rev-parse v$(VERSION)^{commit})" ]] ; then printf "\n\n\tv$(VERSION) tag missing, or not checked out...\n\n\n" && false ; fi
+	rm -f radvd-$(VERSION).tar*
 	$(MAKE) dist-gzip
 	rm -rf radvd-$(VERSION)
 	tar zfx radvd-$(VERSION).tar.gz

From 301d86e5504303fb54bf7e81a221672a5a52ed5a Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 25 Nov 2023 22:40:09 -0800
Subject: [PATCH 8/9] docs: document formal release process

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 RELEASE-PROCESS.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 RELEASE-PROCESS.md

diff --git a/RELEASE-PROCESS.md b/RELEASE-PROCESS.md
new file mode 100644
index 00000000..dc512c5f
--- /dev/null
+++ b/RELEASE-PROCESS.md
@@ -0,0 +1,16 @@
+# Rough release process
+
+0. Update `CHANGES` & commit!
+1. `export VERSION=2...`
+2. `sed -i -e "/^AC_INIT/s,\[.*\],[$VERSION],g" configure.ac`
+3. `git commit -s -m "Release ${VERSION}" configure.ac`
+4. `git tag -s v${VERSION} -m "$VERSION"`
+5. `docker rmi radvd-autogen:latest`
+6. `./autogen-container.sh`
+7. `./configure`
+8. `make packages`
+9. `gh release create v${VERSION} radvd-${VERSION}.tar.{xz,gz}{,.asc,.sha256,.sha512}`
+
+
+## Tools
+https://cli.github.com/

From 8653a818dcc3576100e1857f2da2c612ae7a057a Mon Sep 17 00:00:00 2001
From: Mike Pontillo <mpontillo@users.noreply.github.com>
Date: Thu, 7 Dec 2023 01:02:13 -0800
Subject: [PATCH 9/9] Expand on RELEASE-PROCESS.md

---
 RELEASE-PROCESS.md | 101 ++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 87 insertions(+), 14 deletions(-)

diff --git a/RELEASE-PROCESS.md b/RELEASE-PROCESS.md
index dc512c5f..80f85084 100644
--- a/RELEASE-PROCESS.md
+++ b/RELEASE-PROCESS.md
@@ -1,16 +1,89 @@
 # Rough release process
 
-0. Update `CHANGES` & commit!
-1. `export VERSION=2...`
-2. `sed -i -e "/^AC_INIT/s,\[.*\],[$VERSION],g" configure.ac`
-3. `git commit -s -m "Release ${VERSION}" configure.ac`
-4. `git tag -s v${VERSION} -m "$VERSION"`
-5. `docker rmi radvd-autogen:latest`
-6. `./autogen-container.sh`
-7. `./configure`
-8. `make packages`
-9. `gh release create v${VERSION} radvd-${VERSION}.tar.{xz,gz}{,.asc,.sha256,.sha512}`
-
-
-## Tools
-https://cli.github.com/
+## Update `CHANGES`
+
+Go through `git log` and ensure that each relevant change is documented in
+the `CHANGES file.
+
+## Ensure version consistency
+
+The version identifier needs to be consistent amongst the `CHANGES` file, the
+`configure.ac` file, and the git tag. First, determine the currently-configured
+version identifier, such as by running:
+
+```
+grep AC_INIT configure.ac | cut -d[ -f 2 | cut -d] -f 1
+grep Release CHANGES | head -1
+```
+
+When preparing a release candidate build, the version string should end with
+`_rcN`, where N is the candidate build number.
+
+Conventionally, the `CHANGES` file will contain a string in the format
+`v<version>`, such as `v2.20_rc1` or `v2.20`, while the git tag and
+`configure.ac` file will contain a string in the format `<version>`, such as
+`2.20_rc1` or `2.20.`
+
+Edit the `CHANGES` file and note the new version identifier.
+
+## Update `configure.ac`
+
+After manually updating the `CHANGES` file, update the `configure.ac` file
+with a matching version identifier, such as:
+
+```
+export VERSION="$(grep Release CHANGES | head -1 | sed s/'.*Release v'//g)"
+echo "New version identifier is: $VERSION"
+sed -i -e "/^AC_INIT/s,\[.*\],[$VERSION],g" configure.ac
+```
+
+## Validate, commit, and tag
+
+Next, examine the changes to ensure accuracy:
+
+```
+git diff CHANGES configure.ac
+```
+
+If everything looks good, commit the changes and create the tag. Note that
+this will create a signed tag, so ensure that you have GPG configured
+appropriately.
+
+```
+git commit -s -m "Release ${VERSION}" CHANGES configure.ac
+git tag -s v${VERSION} -m "$VERSION"
+```
+
+## Build release archives
+
+### Clean up Docker environment
+
+To build the release archives, first delete the container manually to ensure
+the build works with a clean container (this command may fail if hte container
+does not exist):
+
+```
+docker rmi radvd-autogen:latest
+```
+
+### Perform a package build
+
+The `autogen-container.sh` script will run `autoreconf` in a clean environment.
+Afterward, the `./configure` script can be run in order to configure the build
+environment. Finally, `make packages` will create package archives suitable
+for release.
+
+```
+./autogen-container.sh
+./configure
+make packages
+```
+
+### Release the new version on GitHub
+
+To perform this step, first install and configure the
+[GitHub CLI](https://cli.github.com/).
+
+```
+gh release create v${VERSION} radvd-${VERSION}.tar.{xz,gz}{,.asc,.sha256,.sha512}`
+```