From 1cb8ad1c494476d55243b43f0dc952535c67f71b Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 20 Dec 2022 18:08:38 +0100 Subject: [PATCH 1/2] Add public keys and document how to verify releases --- README.rst | 12 +++++++ README_RAW.rst | 12 +++++++ public_keys/v12.5-v20.0b0.gpg | 65 +++++++++++++++++++++++++++++++++++ public_keys/v20.0-current.gpg | 53 ++++++++++++++++++++++++++++ 4 files changed, 142 insertions(+) create mode 100644 public_keys/v12.5-v20.0b0.gpg create mode 100644 public_keys/v20.0-current.gpg diff --git a/README.rst b/README.rst index 542c80ae450..e00eda0a025 100644 --- a/README.rst +++ b/README.rst @@ -114,6 +114,18 @@ You can also install ``python-telegram-bot`` from source, though this is usually $ cd python-telegram-bot $ python setup.py install +Verifying Releases +------------------ + +We sign all the releases with a GPG key. +The signatures are uploaded to both the `GitHub releases page `_ and the `PyPI project `_ and end with a suffix ``.asc``. +Please find the public keys `here `_. +The keys are named in the format ``-.gpg`` or ``-current.gpg``. if the key is currently being used for new releases. + +In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``. + +This allows you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team. + Dependencies & Their Versions ----------------------------- diff --git a/README_RAW.rst b/README_RAW.rst index e71a2095a9c..ec81ec93c70 100644 --- a/README_RAW.rst +++ b/README_RAW.rst @@ -115,6 +115,18 @@ Note Installing the ``.tar.gz`` archive available on PyPi directly via ``pip`` will *not* work as expected, as ``pip`` does not recognize that it should use ``setup-raw.py`` instead of ``setup.py``. +Verifying Releases +------------------ + +We sign all the releases with a GPG key. +The signatures are uploaded to both the `GitHub releases page `_ and the `PyPI project `_ and end with a suffix ``.asc``. +Please find the public keys `here `_. +The keys are named in the format ``-.gpg`` or ``-current.gpg``. if the key is currently being used for new releases. + +In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``. + +This allows you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team. + Dependencies & Their Versions ----------------------------- diff --git a/public_keys/v12.5-v20.0b0.gpg b/public_keys/v12.5-v20.0b0.gpg new file mode 100644 index 00000000000..d3e38fbeeb2 --- /dev/null +++ b/public_keys/v12.5-v20.0b0.gpg @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF6AWOIBEAClMRtGdbm2yKAo1GdeybmasMpsCBmGI952/z5VvjSgDlu+ktPJ +QauWkARWrq4Eab2uZEIQrHUw01+9/Ugfu7qHu4safZjc177Tq4Fp0hJDHFRFVdqb +68Rv5mH0xjr7At0eNys2Rx8m7H1dBYQCz4aroUQ0q0TB4qSeKU9FzUzOZZ7/pYri +KFyNdaIjhrBeY/WXbn+7L2/cFJtafJHqkZlyfIgQzpmONfIrtJLnG0nxdBPIxg3m +CYxzrJKCkPPrl8b4TNV0LCO9c4r8zXGiZ6ZOQMAGjgb2Do67AvHTLI3YYd8+iY25 +112noIFASabxbW9jBb+nlyMc8nz5kW19JWq6sBfMJYzWaVpI6ofNpiZtKWupIt2V +4GcViZmE/Kh4hBQjrBIAeqLUz6ABidERrhWu6/wP3huNe+R6eMQTfEdYlYeD3LXG +5Upl46/wnodWQeW4llMVBhjkS+5ExtvlVBD9Yz8iQMUsXUSu8+UPRgjy6YIRsvtF +bzGKFXkn4tFWCyQsXJDf8f+lQCtB1XF/DN2IVZF9OjQOvrpRwJk3h3CiQboN5lf7 +Mj7I11MusPKzn34vg+3f6loOOQ++GUa+WH2B6Dx6AH3C0BI0V2sh6axu6HYJNo3o +stOXzhhWysPKp9pj41fmaFTcF8bYYlnHoLA17IapttsYo0WuFaBF5UW90QARAQAB +tCpIaW5yaWNoIE1haGxlciA8aGlucmljaC5tYWhsZXJAZnJlZW5ldC5kZT6JAk4E +EwEKADgWIQRlW7T1bNsODkUAz1cung4SfvPygwUCXoBY4gIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRAung4SfvPyg3fXD/9IMuDgYGl+T98JvN/VHLcrA9rT +idIWr5vDSxjniQaYe8Kc3oTqje1xmRcIR7z3WFKgxErx8yEf3AOUCPqQh53MjS0q +rXNDCoRWqlljpeY2EHZh2xPSvin2pUgOd334BRFeBqyvIfb/IQmwUNDoUp1FxKEq +4veT4XPDnKZlZs/OwRMD1f0v64mtTy60fQzJyM9ICLWzZdCKZULGTKCBLms63l0h +wqznU6RA7qEpKeLEwwZs454maPdDraOebyhBYqf2EbATo1Rf1faqNzjL2T7KtyZg +PB1RDah/tCrsRi2ueFbOakyDms+98Km94lC8cZ0Wp7wlXaBLQHbRgylt49dN5KLP +cgjUxnBDOxM/4iCrwLQ3GxqZksOkwuzkZE3v1BkRy51XPRiaEov+57zhua686BzY +/rQjG6xWEawmodydUPd7qZ8LbO0bGpw+euqVd+FDEmHi4ytB1vyZMQ3Zt7gZjbBm +Wxd0x4TSKz0CQ4XuGxXvVx0ZXv3zbOXE2g06UmxijHbCwNZQazAzOw5EVaZiZPvK +4HzxssBskp49xh+8T8Pgmc085ujstW2+b1XiZcqnVhIkOqEynxKhPghP/5ODtY7/ +13dkqbVgAfTZ8JU6Q+jTo5bhaoFohnb8XeEg7O8aLf06WpKvorJ+O8XGKICn1tnD +odL5XTa9xX8WMwiI3bQ9SGlucmljaCBNYWhsZXIgPDIyMzY2NTU3K0JpYm8tSm9z +aGlAdXNlcnMubm9yZXBseS5naXRodWIuY29tPokCTgQTAQoAOBYhBGVbtPVs2w4O +RQDPVy6eDhJ+8/KDBQJjm4maAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ +EC6eDhJ+8/KDKTcP/ja9/nVePimncHGvrT70Ek53qBheSTujurDtNE6mfUOxOgr8 +7m/fcZo3j/3FUssN81ijoNthS6HuhE0kyc+jbL1q4cv9oOeqgniV0P2GxlCOLwrJ +k3BjLNA04P8qSXfS1eefyRgr+dtNaOw2ARetOZm3yja34EW8II6p7Bd7DTRoGOAQ +cwi0Xz0AGyz9drLS0vDZ3VJfB0xIUToS/I/PBjUsIg0eD9M2bEOznFHK422CQMJV +r4pdHJgMfzX7XmwqMQP31oz8zNljsLWYZqpMR9Lw3B2XKziaZlptXgwC9uulcojG +lZv1OTXFKudjKmuOgzd9tW0nwMX/XnNGC7rzCpJCi5//8LeqbLxFqHoK8fXGs/9k +U7EBd3srEnGZHp3ROCsEGmNERTTIIN/rWS3lywnQCQ5kyk8HjT3WztfyLuAIiU+q +fiGQvvkehFF31ONa6tA5Xsm/0ch8rFx9ON8K72KY0fHLJ4FMz0rIdUa47GDYKDAr +n8q+drVCGBVSOWqHYhSZ5C/NCtRr6TebGCsxmhsVuqcXpJSM8CqG8f2xYeQeRw54 +bGSrCGMB5TlcMUKQ9wmQWHDHa+khobvYrGBtZaHMt/exnBYqwPna88rp1pWyhIqw +bBiCzKPYOUvzW+nUL0ogCVTfq5XKMJAQh1d1FPPbSLIb/0LYSHC4FavvrmJ3uQIN +BF6AWOIBEADUaTuRBlOcwBBZAFYHgXNM22+TdU+JcYVbdn96A0NPJy0z91SLHotM +w8fr9Sbd/g+xhG8byeFDpdEwTz+sH3GN3SjaSRV3CYIueWApiAFC4ybIoR46kcri +DQJWaTL8YtofBQs7GTtmZ/IbKaxRC/nKXalBnUh3nPgWCLUcIu8axmloBfHP9zFz ++Vn37JrClM66V2TLeJp5/C3Sw2lR2Dj13G65LkSAOX+naoL//PWSSmnfiDef2DA6 +Ucd3vh2BoTVkmZoDeLkIP93MfDM23I7NRq9rQSptcvYmtdxo3f3IU25sfjYBi+3g +HIWzbFq2SBeGAbWBufcFkj+kvoP4LzxJ63hVhpA0ql3WWgi5eKOeuhtnBSNaejhC +Axq8ktdAFUpyLMjA53bMUnD7Xkb09tMwW0OcUFPxVz3LG7TT8aQSwA46u/nBFIDN +4D5R14OdAysLHcVp536NSApfvzc/E5OCIx+0TPihq+8EnSEyHMvNXA0QLeGcSn8a +CoIjRK9p7IpKknGNCBx/H54rHGWi0XdPZPNbGHGFypualEB2uIRELFFkCquO2DTi +rYnrYM2Xf/u1ahp1vLNGgM1F6L9u+mC6gUUMGmyBklsz1jTGkTB4HmiMDLBDhAQM +/5UPJQhAdxuZwdfyveGxWYBJSSMtGbR+yOfT7NuTEhtBj0WG4h6tPwARAQABiQI2 +BBgBCgAgFiEEZVu09WzbDg5FAM9XLp4OEn7z8oMFAl6AWOICGwwACgkQLp4OEn7z +8oOZ1g/+NE9vZSoxB9yw8uLRthjUUScES2wpA4VBVgpcA0QNEqtq5xE82xXUMhIb +1td6E00+lESoXGo66xoIFQdWEMyr0Df6kfFSTgh2FL4DA5NSSQgiM9u4O8yayu2x +AmBQzRz42V3AquVSH7gu/WhwPcYROq+gYaQT7D/l6Mg/mRUfMS/zvkFIsTJktp+q +yvcuf8ybqoCetDbOw6Uo12IjfxqT1pj8gUVrN/ePlI3HXDzOS6bCiYCgRjCU/Ujj +zcXOupKjA4mvN6LCslgwREciZgDE5W31Ghnjd3tT4OL9TSixugRFD67jr7ZsXpcl +ZReF+nbEsTZlKMXKVDnvwgvrVD4BolSj9rBpPcyftcZtFeuBPSVUE1c6pd5Vo7HJ +I+QDHQA32/hk8dDdqrdVHCn24+yZUkpkuzvNovVJINqt/4GgIRUZot0e5MupFuj9 +D+Nn90ffKvFe1YjmRkJ1hblHG9Lh2I4LQOjF2qGKRL+CmtgA3NbO4BKLuTEAJnJz +PeR4FOX756R40p9Z7e0XhUqF4D/GvRyfxYhxkMKbIGEXbfgPjcNvVCDJxElBBtMz +mu6lniNOz/rViivD28dWHIro3ScaGsB4vAo2Eq+4VWTUtvoPo0OHbfX8PDbpcTuU +3a3DN3/RD8DQe+Pm5clbVCpDHzKThq9TpHFC0Iozh6d7QY+hQac= +=VeuH +-----END PGP PUBLIC KEY BLOCK----- diff --git a/public_keys/v20.0-current.gpg b/public_keys/v20.0-current.gpg new file mode 100644 index 00000000000..7e61705189e --- /dev/null +++ b/public_keys/v20.0-current.gpg @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOgNtUBEAC9CnrQYcKeHOVQatup9batI7lOSoXhqnS4v41LmWKt2GgVpiSn +CpWre04UMg+s/oCFto6af97vGxSsGbb2b23mTVHECvUoUBsiM2CMHopvNpMiPG3s +85gIaqQPOyVorET+MgPw96N+Ik/8sevOTb7u6+tUP4wdZcplVXBo5q+3EeK5GDb3 +g+WNYbcwZ+x+3jwgphQmryHAXAis4PrdAfuaAXxclN/prJ23245IaAQxWID1Mcxi +ZaT/vZSqDEKbjj3wyzlJBfe5DuAG2IqAqEbWZCYUjjdUrsrGVdjh6Al1CqA+V8px +PYCF+qK6c3M7ilbQSXv9dDjiH1shM7DPrXop657zFandVrmaFVcf7/WLLNSX0KwM +kuYdFXYQXXoptpLsB6edB8Od39l6uETObDDVXiKQdeBypFlkWaqDv2soBY04+o0h +NvQBWT3EPS2zUXGwo7j2pd1Q4j1qC0ceKW64rxF8UqtZXOG2mJrVKeKvbprhq3kF +3+vXHqTgr6ZgjplHkVZmcv31UOBlwGnN+xBi5ooD/brF0rxZ9Pcr0BXdtBhG80V+ +q1vxVh9D2K0RFJ7pLaxFdExZoevOwHdtwT411I9VfWdICc3w9KYnH4xSwjoR+Cm2 +Jy9aTlft+TkQXfOxWD83QUtu/zE/MYwp2xhHLsJoOTzSLHcRHMOWC4yfrQARAQAB +tG9IaW5yaWNoIE1haGxlciAoS2V5IGZvciBzaWduaW5nIHJlbGVhc2VzIG9mIHB5 +dGhvbi10ZWxlZ3JhbS1ib3QpIDwyMjM2NjU1NytCaWJvLUpvc2hpQHVzZXJzLm5v +cmVwbHkuZ2l0aHViLmNvbT6JAk4EEwEKADgWIQRMulGIRwROKJVIvZ+iuYSpBzAi +sgUCY6A21QIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCiuYSpBzAisgG+ +EACXEqRSzuMI/Ca4vs9Q0teaUskjDbmb3tpt/vlPtgtWVBxIwixIrBXXt6VF58pc +4PjnmWd0TQVWHXysVtV1JBdFHJPf7CXD1OXAzDYLS3s0gZJ8Y32oG+94FKVtdcjp +M9XV2ip0DZFd0k8ln0bVultFPR441Q7DVpJFctAvICvccC//TkgD0vMWAV+zKD/9 +xctkIa1t0ZQ2xHA+NPDTLEGzs9rADwJTK/OOE528mo8ki37RTM7Ou6kGF9Xb+A5P +iaO2FBDp3b6QyprMvaOF2Xgt18h+wembzsXwVwep3OpjZHYsaImoWn6821HmsS7H +MTjR71aG6BrGZTjFtsWNd9Anu2aYfyZgpZZmeTMC6o81x428YEA9Mr7+yAgFAfd7 +BTyShNsyP1LcbMpPoYciFPiL9ieMqfNPOpdluV56Xb4W27/EJ39wx+PQPEs/5A2n +RUfKdtJtqxrGGOWtoLORS0pr+s7JS6WP1dfR/VWeTMiVNG506crAvCkN7VvTlpI0 +ASqnRvFeu82cgOiP8toZJ/seRDq5JdRy/dV6EMD442mE6si7RUFJ3ShQsAMdukGw +lCDdUfLATJ/rrMCsoaInIbqWBa49OqEKcpOxyR2qR/91wxS1LDhfkmtumGgIxkjj +utt2XKLSaLNaXIPjX19RMqmFntzMrU2Mk+0HD40dd30bTbkCDQRjoDbVARAA1tN/ +R2PhQ++bbLCtqeIjmkx/k5nmLK5P52lOu1zR142XVDC1ByZ8FEMzgnU+n660HN2g +62/p7lrMi1I12RuPZJBvalsRfGVx2DtbX06AEEg8bjABXB48uF1xU35gLOt1nhDp +bEinY0Kx4uBQcXlKme83ceyG2vmZvW0C+2JyLFFjwpUvOwzlzjSMkBFdbDzMBL93 +A8gTt36WxcA+IbZlEwYte6w8FE5HcEZgGXsYXCvKEEN2wn3scXg+1R8bXOyQeRCo +KqblMDRO6Qsb/QL3a86so7MBWX4VmW+7714kaQYhMC+DKZq5u7yO//UqnEElHrYw +W8T5KGCYTizXcrM+4giAecdeukdPpeLwOmLhKQ1YfwWkHolsruwjg15vW4QE85dV +LRSTdgH1Is6NCqweOMIozH6uIAYz3b1u1r3C9hlgMqFN1oujI12MjOURLtLUtrN/ +LeosSZEUgL3T7a1bmO4ykcVvhWvGrcU0HfR/CX5nXMymhkjGk2x47elottK/O3BP +evinQWPSiF+ABH3605KZQB2cWcr0oH1rLMAIwcYtMdCmGJY9we1fRF2lf/BTcoui +nDqsuuIJJpHg9FIIR167fW1tQH0DYbQBvsDCG6jv5pZ7V4Rl8zJ30Am5h1XZzpIk +/3wPvouskdfsEF1CahpzKF/rdtIB5aaynWO0xHkAEQEAAYkCNgQYAQoAIBYhBEy6 +UYhHBE4olUi9n6K5hKkHMCKyBQJjoDbVAhsMAAoJEKK5hKkHMCKypCcP/3pvvpP/ +axelSKUgdsmU+mcUK4AHWtPXZxJcLoIGhMEOiNOdeX64XhHYGO0gKDvPn1Bv/ygI +ef49+NGAXWZmaSOqXSKfSWaWwQqlGLuqL76Hes5EqTbAlo4qEEbZoWx/x52zbXz6 +1fbcH+rU+3dYVFIzvq2UG2t3L6v+PQXoZL20CWxIAWLGjVmnUPV/7/XJJATg2x1J +IEb7iG9h8XLvC4/+whRWG5J48kPRRPE3vy1kgeUtvHCIsvujoFCosAxRhLR62+5x +F4rREUyY2WKAsuymVCJPEKE/g3LoTtn+f78ucECm6MJNhJpZqdjlqib0mGhjWGeR +XPNHL3iEL4wFlU/DRt25GE7YKTHoPFcjet4wWOUdj9OHdV2DHgsgETEAVxaFwH7W +hnPBtyc9TDLsTtJ1NphxofSiehsesNrfX5sneQVBpUclb5HS8vYqJxLC0KLOulNU +emDwYaQdM4chy1QfKHJhj9uSbqRcoUcms59mLINUlTmdwez2Vbmnh8sLYfuz2S0L +7OANYTUOOmwlw9cQJjF2hgtgvn7lRK/zD38nVesHSBU4dmlYISV5/jnByhIDaIdo +Afq07AF3OUKAI2FfAquDjV2P66GS1K2cWEQAAd3wgze3Qlt7xvifGTxHEXXesfP3 +toI3+U6jDIfsuoL4ynzcPdz0IsFwu+yX6bxw +=gtS+ +-----END PGP PUBLIC KEY BLOCK----- From 65633f3b31ad142efc7ba457479f09016b48c86a Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 20 Dec 2022 18:12:24 +0100 Subject: [PATCH 2/2] drop to full stops --- README.rst | 2 +- README_RAW.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index e00eda0a025..5229da62f08 100644 --- a/README.rst +++ b/README.rst @@ -120,7 +120,7 @@ Verifying Releases We sign all the releases with a GPG key. The signatures are uploaded to both the `GitHub releases page `_ and the `PyPI project `_ and end with a suffix ``.asc``. Please find the public keys `here `_. -The keys are named in the format ``-.gpg`` or ``-current.gpg``. if the key is currently being used for new releases. +The keys are named in the format ``-.gpg`` or ``-current.gpg`` if the key is currently being used for new releases. In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``. diff --git a/README_RAW.rst b/README_RAW.rst index ec81ec93c70..47dd8c7fe8d 100644 --- a/README_RAW.rst +++ b/README_RAW.rst @@ -121,7 +121,7 @@ Verifying Releases We sign all the releases with a GPG key. The signatures are uploaded to both the `GitHub releases page `_ and the `PyPI project `_ and end with a suffix ``.asc``. Please find the public keys `here `_. -The keys are named in the format ``-.gpg`` or ``-current.gpg``. if the key is currently being used for new releases. +The keys are named in the format ``-.gpg`` or ``-current.gpg`` if the key is currently being used for new releases. In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``.