From d888c305970d73e9ca75e90b7705183299b36b04 Mon Sep 17 00:00:00 2001
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Wed, 5 Jul 2023 11:03:07 +0100
Subject: [PATCH] Use signify to sign releases.

---
 README.md                   | 15 ++++++++--
 dev-docs/release-process.md | 58 +++++++++++++++++++++++++++++++++++++
 make_release_tarball.sh     | 11 ++++---
 3 files changed, 78 insertions(+), 6 deletions(-)
 create mode 100644 dev-docs/release-process.md

diff --git a/README.md b/README.md
index 1b02149..cf76978 100644
--- a/README.md
+++ b/README.md
@@ -52,9 +52,20 @@ Installation
 You can download libfuse from
 https://github.com/libfuse/libfuse/releases. To build and install, you
 must use [Meson](http://mesonbuild.com/) and
-[Ninja](https://ninja-build.org).  After extracting the libfuse
-tarball, create a (temporary) build directory and run Meson:
+[Ninja](https://ninja-build.org).  After downloading the tarball, verify
+it using [signify])(https://www.openbsd.org/papers/bsdcan-signify.html):
 
+    signify -V -z -m fuse-X.Y.Z.tar.gz -p fuse-X.Y.pub
+    
+The `fuse-X.Y.pub` file contains the signing key and needs to be obtained from a
+trustworthy source. Each libfuse release contains the signing key for the release after it
+in the `signify` directory, so you only need to manually acquire this file once when you
+install libfuse for the first time.
+
+After you have validated the tarball, extract it, create a (temporary) build directory and
+run Meson:
+
+    $ tar xzf fuse-X.Y.Z.tar.gz; cd fuse-X.Y.Z
     $ mkdir build; cd build
     $ meson setup ..
 
diff --git a/dev-docs/release-process.md b/dev-docs/release-process.md
new file mode 100644
index 0000000..783e157
--- /dev/null
+++ b/dev-docs/release-process.md
@@ -0,0 +1,58 @@
+Release Process
+===============
+
+* `set TAG fuse-A.B.C`
+* Update version in
+  * `ChangeLog.rst`
+  * `meson.build`
+  * `include/fuse_common.h` (`#define FUSE_{MINOR/MAJOR}_VERSION`)
+* When creating new minor release:
+  * Create signing key for the next release: `P=fuse-<A.B+1> signify-openbsd -G -n -p signify/$P.pub -s
+  signify/$P.sec`
+  * Expire old release signing keys (keep one around just in case)
+* Update authors: `git log --all --pretty="format:%an <%aE>" | sort -u >> AUTHORS`
+* `git commit --all -m "Released $TAG"`
+* `git tag -s $TAG`
+* Build tarball, `./make_release_tarball.sh`
+* Test build:
+  * `cd fuse-x.y.z`
+  * `md build && (cd build && meson .. && ninja)`
+  * `sudo sudo chown root:root build/util/fusermount3`
+  * `sudo chmod 4755 build/util/fusermount3`
+  * `(cd build; python3 -m pytest test/)`
+* Upload API docs:
+  * `rm -r ../libfuse.github.io/doxygen && cp -a doc/html ../libfuse.github.io/doxygen`
+  * `(cd ../libfuse.github.io; git add doxygen/; git commit --all -m "Re-generated doxygen documentation"; git push)`
+* `git push && git push --tags`, create release on Github
+* Write announcement to fuse-devel
+
+
+Announcement email template
+
+```
+To: fuse-devel@lists.sourceforge.net
+Subject: [ANNOUNCE] libfuse XXXX has been released
+
+Dear all,
+
+I am pleased to announce the release of libfuse XXX.
+
+The source code is available for download at https://github.com/libfuse/libfuse/releases.
+
+Please report any issues on this mailing list or the GitHub issue
+tracker at https://github.com/libfuse/libfuse/issues.
+
+From ChangeLog.rst:
+
+[INSERT NEW ENTRIES]
+
+The following people have contributed code to this release:
+
+[INSERT CONTRIBUTORS]
+
+(a full list of credits containing all known contributors is included in
+the `AUTHORS` file).
+
+Best,
+-Nikolaus
+```
diff --git a/make_release_tarball.sh b/make_release_tarball.sh
index c1781ef..32d15fd 100755
--- a/make_release_tarball.sh
+++ b/make_release_tarball.sh
@@ -7,10 +7,12 @@
 set -e
 
 if [ -z "$1" ]; then
-    TAG="$(git tag --list 'fuse-3*' --sort=-taggerdate | head -1)"
+    TAG="$(git tag --list 'fuse-3*' --sort=-creatordate | head -1)"
 else
     TAG="$1"
 fi
+PREV_TAG="$(git tag --list 'fuse-3*' --sort=-creatordate --merged "${TAG}^"| head -1)"
+MAJOR_REV=${TAG%.*}
 
 echo "Creating release tarball for ${TAG}..."
 
@@ -25,10 +27,11 @@ rm -r "${TAG}/make_release_tarball.sh" \
       "${TAG}/.github" \
       "${TAG}/.cirrus.yml"
 cp -a doc/html "${TAG}/doc/"
-tar -cJf "${TAG}.tar.xz" "${TAG}/"
-gpg --armor --detach-sign "${TAG}.tar.xz"
+tar -czf "${TAG}.tar.gz" "${TAG}/"
+
+signify-openbsd -S -z -s signify/$MAJOR_REV.sec -m $TAG.tar.gz
+
 
-PREV_TAG="$(git tag --list 'fuse-3*' --sort=-taggerdate --merged "${TAG}^"| head -1)"
 echo "Contributors from ${PREV_TAG} to ${TAG}:"
 git log --pretty="format:%an <%aE>" "${PREV_TAG}..${TAG}" | sort -u
 
-- 
2.30.2