From 02ca80624f712e892ba34753d08362bed5c74d7f Mon Sep 17 00:00:00 2001
From: Will O'Beirne <wbobeirne@gmail.com>
Date: Sat, 18 Dec 2021 13:20:05 -0600
Subject: [PATCH] Add all necessary components for gpg signed release manifests

---
 .github/workflows/build.yml | 12 ++++++++-
 README.md                   | 15 ++++++++---
 docs/verify.md              | 26 +++++++++++++++++++
 keys/wbobeirne.asc          | 52 +++++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 5 deletions(-)
 create mode 100644 docs/verify.md
 create mode 100644 keys/wbobeirne.asc

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9baa8443..39ee9868 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,6 +51,16 @@ jobs:
           release_name: ${{ github.ref }}
           draft: true
           prerelease: true
+          body: |
+            ## Release Notes
+
+            <!-- Release notes here -->
+
+            ## Verify Release
+
+            <!-- Make sure you upload gpg signature before releasing! -->
+
+            See https://github.com/joule-labs/joule-extension/tree/develop/docs/verify.md
 
       - name: Download extension build zip artifact
         uses: actions/download-artifact@v2
@@ -85,5 +95,5 @@ jobs:
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./manifest.txt
-          asset_name: manifest.txt
+          asset_name: manifest-${{ github.ref_name }}.txt
           asset_content_type: text/plain
diff --git a/README.md b/README.md
index 3cf41f4b..14543bf0 100755
--- a/README.md
+++ b/README.md
@@ -90,11 +90,18 @@ To make a production build, follow these steps
 
 ## Releasing
 
-1. Bump the version number in `package.json` and `static/manifest.json`
+1. Bump the version number in `package.json` and `static/manifest.json` and commit it to develop
 2. Create a git tag called `v${version}` and push it
-3. Run a build
-4. Make a new Github release, upload the build assets, write a changelog
-5. Upload the built zip to the Chrome developer dashboard, Firefox addons site, and Opera addons site
+3. CI will make a release with the assets uploaded and place it in draft
+4. Build the release locally with Docker and sign the manifest with
+   ```sh
+   yarn build:docker && cd dist-docker && gpg --output manifest-[version].wbobeirne.sig --detach-sig manifest.txt
+   ```
+5. Download the `manifest-[version].txt` from the release and verify it with the signature you just made
+   ```sh
+   gpg --verify manifest-[version].wbobeirne.sig manifest-[version].txt
+   ```
+6. Upload the built zip to the Chrome developer dashboard + Firefox addons site
 
 ## Testing
 
diff --git a/docs/verify.md b/docs/verify.md
new file mode 100644
index 00000000..e9132256
--- /dev/null
+++ b/docs/verify.md
@@ -0,0 +1,26 @@
+# Verify Releases
+
+To verify the release, you can check @wbobeirne's signature against the sha256 manifest file. First import the public key:
+
+```sh
+curl https://raw.githubusercontent.com/joule-labs/joule-extension/master/keys/wbobeirne.asc | gpg --import
+```
+
+Download the manifest and sig file and verify it:
+
+```sh
+gpg --verify manifest-[version].wbobeirne.sig manifest-[version].txt
+```
+
+Now that we have a verified manifest, we'll verify the contents of the zip file. Download and unzip the zip file, and run `sha256sum -c` against the manifest.
+
+```sh
+cd joule-[version]
+sha256sum -c ../manifest-[version].txt --ignore-missing
+```
+
+You should see a series of files and `OK` next to them if the hashes match.
+
+## Build & verify with docker
+
+You can also build your own release and manifest with `yarn build:docker`, then verify the sha256sums using the `manifest.txt` file in `docker-dist/manifest.txt`
diff --git a/keys/wbobeirne.asc b/keys/wbobeirne.asc
new file mode 100644
index 00000000..201bbb3b
--- /dev/null
+++ b/keys/wbobeirne.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGDKfggBEAD0IR5BO+BOhHFRE+OKOrvkXH9qlbXC1id69A0L9XpcCqJtULvQ
+tAI7rV/uQQvt/ijGsJuImmq9B6LfWO2ngbz0IFwEcSwBPfbfrFqONRH5xYIsimFa
+N81ngeXlZjE5XleuJKtw8WsYrh1H/nyIPTIL7mOTS5jjjBfIXoE/o06Iw0KV2L7v
+yY16BfNZGrcEp5ar578O8E6dZRMYMOVd0UMP1ClP/zfszA0pVzJs9FuyxBQlEYFv
+VQR0AeSmsywH2guMq2pK6jZI8aOShmoIIYgfPgnX89KvvwZyiW3mexf2+2fqoQOS
+TAswXFkAEfsGEtZIgxvvNCrFBUR0BUBNX0xeeRrWfiUG+dveBiZ3HVQP3DLWldQ0
+Iy8yH5CLDvz5rKELeuVt886JuvPXgVQpcQbetc103Fz3sGV9WXlRxF6L5hoaD6jU
+4iMxVgARSOWgDQRIw4cLA6Ya9/qGKSu4yQVjjdWiK28knYF9LexJ4MOVE3Q7vlBV
+sZGaOdUAO4tzNAOidBbG8EvrLiwxJm5aCeadTV6gYhH5MVUlY8Uiyk+Lew9QO3mx
+ZweBt6J+EnZHlOQeXywn0jrzRHfE6WmvWHVEk3LV2D0w0ndKjwjGgZlWzP76o0+M
+ALMty6/8//Ux0ThnYwzSufoEn6bbERNBjJtKiFsDn5scfFsI/1X+SfJhUQARAQAB
+tCZXaWxsaWFtIE8nQmVpcm5lIDx3Ym9iZWlybmVAZ21haWwuY29tPokCVAQTAQgA
+PhYhBNTM8MujyQc4lh4V8tHy40EDR8YtBQJgyn4IAhsDBQkHhh9nBQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJENHy40EDR8Yt+vcQAMxsGxUVEuoJsW8wNvufeVK7
+2wbdOpjqQfpkfVSZZDiY4mNECOm3BZVdu1rOuhxK1IwNhqRSXe+pa7rde8wk6DpO
+8pYTz+qL21ngTEgtwBNX3JV07V4TjtQJ+GcQ1FEw5fCi2uK46RPSaC1pzOk6Tjyc
+P7E5BUvzGl21AcEHStURkUaLFPYN2kSCiZQk66LQQenuYGQuzej1KheVVlhYAqGk
+IXhH+4cMbggNZXAJBV4t/yUF4fLkeaGBhKRNyqpkvWBAs/njyTvVsTk9J7bCvvMf
+ElZpxZAGBO/Jw3FrsOSsoJehQkv0+OBQNNK+lbmziw67ICXCCV01yAWTMO45wvvN
+fabli33Ja0wXz1WAunWWNl1GkGyNiJf0bcT4N3JoF3uxyil0TvgFPrqFW0uR4Ek2
+2GbFKc9yHVCe6U3mXALnKdpDsSzof80JhSDXTPut2qFNRaEQXAF4NUQ9rUMSCGAf
+bpqdMrUiRlIzrTkJ8Nk+s/Mro3KTbTwYlvPv0j+G1GVN8yzRvMGzPQdpKikyiT9M
+EsxX27u4q62NB0cFuVXHPDwvClQtUhsUJ3UeW7JRwsaEfC5JlsP85x+5B0nfMK5e
+NYg1w+BE+sGqfapeKoF5Fzq4KxrZtmrcm8fMVa5SUu9+V41I1yGqJlF+CicXtxX4
+aA6yPKqpWN3im1OBuWSMuQINBGDKfggBEADI3guxFanGOkbdJ5ueeRQQ5mhCCHay
+DBvq01FjbLnNpdE0tbGq/xHGXJLTOdeNwpioPf+fK8GAy3DUKFkExJvR1eR3MPOR
+rYHEK7PK4IHhq/U6XyI09KsOZ4SwcnIyLQ/VqJGaLA6uu/K7CC73/UWcgGY+teVL
+T1l225w7IRnFOWJhPugzioUEW0c/loCJeaHKVdQFqc1vAGBiQ6PlWzQdRJ1PoJ9S
+0WJMSIr/Y4cBweHA1bEzKiuQbsAontaqMUwPaWBv96ZrX8epqxtjUFEofxrcbXXV
+e6Hd7xAVZhzaUtODvEZeMmMOqtHZsvXgNfIti8xwgLBdjeb/JWoxiqy21qeeZuco
+HUs8e66Gh04VKuQaOv6kbv7D/Miwv+xtM++gXealQFhbtS5iGdLYZHF+vaUKmMFO
+SAdfMuv9LfWIV0yNlWIOD2aatlagBB8gST+/B5b6+tm9BLiAkWvXUc/ThtRvWm1P
+78PwPqkNGW0RDr3bFOVm83skc4fxRsAbWIYS029m9h9EkAlNdKqxmMSHcdUN/mTG
+OQA77xiLgZFRnFp3wDatsYgkmTwiIcK2FRl+PUrfsoMlmNb2NE54NVpPtfoKk+N/
+lGthXZZTlc4A8e987Y3LlVON8w2oBdtrhpbf/2mDMMx9Ayqk19T2sdsKOBYNgGjl
+0LAwSz9htsRHPQARAQABiQI8BBgBCAAmFiEE1Mzwy6PJBziWHhXy0fLjQQNHxi0F
+AmDKfggCGwwFCQeGH2cACgkQ0fLjQQNHxi1/bQ//ShBoTDlz7o8HRRTBUks3d0eT
+E9hVtGuybnw8zfUjMF8un76d3Etk5R6oJRiLVJKEiYYLVxuJXCujjLgEGH4YxcKC
+zTmFi9CavQQAeqWP0pAG73Wq50OopLO9aAJ8XCLUPmMRPnrWXvlOg3aYK0ErIi4r
+EBa84RSv57crhdBUS7CmPDMASryRA+MeOcTxVHFdon/wWDHun+qJ+p5Qd8wFCmTU
+2L8fDChmuZloZaCQhqai5YdsxrC9ljBo9pGyCJq/XbNt44FkvSsiEtCkOsx2H1Dq
+cqlgjWvDw//yoxZzoe8+1QWjYDQSjcYYBqrJBbZmiDHRhkrDeIMJZZAKIHHRdCtw
+oDxQxVTdFt6NzmKyQ7qTpDFJ7/JPGmkrlx8xNgW+JZMecoeEDhZDKDvDig+q17bJ
+MJhYBzFn7rzBEBbsix9J6csiJn2NTW7isU4OkXi0a+LdxJM/KWIbhy498a2HoOPC
+crXR+kxwZ9t7QCfPr2ZzOFixF7y5LwbqDNq+oZFuI7gYe/YtbhT2I6WGetmn4yB0
+9tQnX7n5XfdEFQUBA3xq7PK1/w2GQTzFWcx/0vBw2l29/KW3zOvwsYNW7eWvM/M+
+T7FPp9RdG4qV+OaMXMaWL6XVHIj+hLGnBjxnpGm6eSzUdz37sOzKkPu40SVne+qI
+X0bW0MQSJnLwwDDixUg=
+=Yo5s
+-----END PGP PUBLIC KEY BLOCK-----