Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add public keys and document how to verify releases #3436

Merged
merged 2 commits into from Dec 21, 2022
Merged

Add public keys and document how to verify releases #3436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1cb8ad1
Add public keys and document how to verify releases
Bibo-Joshi Dec 20, 2022
65633f3
drop to full stops
Bibo-Joshi Dec 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions README.rst
View file
Open in desktop
Expand Up @@ -114,6 +114,18 @@ You can also install ``python-telegram-bot`` from source, though this is usually
$ cd python-telegram-bot
$ python setup.py install

Verifying Releases
------------------

We sign all the releases with a GPG key.
The signatures are uploaded to both the `GitHub releases page <https://github.com/python-telegram-bot/python-telegram-bot/releases>`_ and the `PyPI project <https://pypi.org/project/python-telegram-bot/>`_ and end with a suffix ``.asc``.
Please find the public keys `here <https://github.com/python-telegram-bot/python-telegram-bot/tree/master/public_keys>`_.
The keys are named in the format ``<first_version>-<last_version>.gpg`` or ``<first_version>-current.gpg`` if the key is currently being used for new releases.

In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``.

This allows you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team.

Dependencies & Their Versions
-----------------------------

Expand Down
12 changes: 12 additions & 0 deletions README_RAW.rst
View file
Open in desktop
Expand Up @@ -115,6 +115,18 @@ Note

Installing the ``.tar.gz`` archive available on PyPi directly via ``pip`` will *not* work as expected, as ``pip`` does not recognize that it should use ``setup-raw.py`` instead of ``setup.py``.

Verifying Releases
------------------

We sign all the releases with a GPG key.
The signatures are uploaded to both the `GitHub releases page <https://github.com/python-telegram-bot/python-telegram-bot/releases>`_ and the `PyPI project <https://pypi.org/project/python-telegram-bot/>`_ and end with a suffix ``.asc``.
Please find the public keys `here <https://github.com/python-telegram-bot/python-telegram-bot/tree/master/public_keys>`_.
The keys are named in the format ``<first_version>-<last_version>.gpg`` or ``<first_version>-current.gpg`` if the key is currently being used for new releases.

In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``.

This allows you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team.

Dependencies & Their Versions
-----------------------------

Expand Down
65 changes: 65 additions & 0 deletions public_keys/v12.5-v20.0b0.gpg
View file
Open in desktop
@@ -0,0 +1,65 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF6AWOIBEAClMRtGdbm2yKAo1GdeybmasMpsCBmGI952/z5VvjSgDlu+ktPJ
QauWkARWrq4Eab2uZEIQrHUw01+9/Ugfu7qHu4safZjc177Tq4Fp0hJDHFRFVdqb
68Rv5mH0xjr7At0eNys2Rx8m7H1dBYQCz4aroUQ0q0TB4qSeKU9FzUzOZZ7/pYri
KFyNdaIjhrBeY/WXbn+7L2/cFJtafJHqkZlyfIgQzpmONfIrtJLnG0nxdBPIxg3m
CYxzrJKCkPPrl8b4TNV0LCO9c4r8zXGiZ6ZOQMAGjgb2Do67AvHTLI3YYd8+iY25
112noIFASabxbW9jBb+nlyMc8nz5kW19JWq6sBfMJYzWaVpI6ofNpiZtKWupIt2V
4GcViZmE/Kh4hBQjrBIAeqLUz6ABidERrhWu6/wP3huNe+R6eMQTfEdYlYeD3LXG
5Upl46/wnodWQeW4llMVBhjkS+5ExtvlVBD9Yz8iQMUsXUSu8+UPRgjy6YIRsvtF
bzGKFXkn4tFWCyQsXJDf8f+lQCtB1XF/DN2IVZF9OjQOvrpRwJk3h3CiQboN5lf7
Mj7I11MusPKzn34vg+3f6loOOQ++GUa+WH2B6Dx6AH3C0BI0V2sh6axu6HYJNo3o
stOXzhhWysPKp9pj41fmaFTcF8bYYlnHoLA17IapttsYo0WuFaBF5UW90QARAQAB
tCpIaW5yaWNoIE1haGxlciA8aGlucmljaC5tYWhsZXJAZnJlZW5ldC5kZT6JAk4E
EwEKADgWIQRlW7T1bNsODkUAz1cung4SfvPygwUCXoBY4gIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRAung4SfvPyg3fXD/9IMuDgYGl+T98JvN/VHLcrA9rT
idIWr5vDSxjniQaYe8Kc3oTqje1xmRcIR7z3WFKgxErx8yEf3AOUCPqQh53MjS0q
rXNDCoRWqlljpeY2EHZh2xPSvin2pUgOd334BRFeBqyvIfb/IQmwUNDoUp1FxKEq
4veT4XPDnKZlZs/OwRMD1f0v64mtTy60fQzJyM9ICLWzZdCKZULGTKCBLms63l0h
wqznU6RA7qEpKeLEwwZs454maPdDraOebyhBYqf2EbATo1Rf1faqNzjL2T7KtyZg
PB1RDah/tCrsRi2ueFbOakyDms+98Km94lC8cZ0Wp7wlXaBLQHbRgylt49dN5KLP
cgjUxnBDOxM/4iCrwLQ3GxqZksOkwuzkZE3v1BkRy51XPRiaEov+57zhua686BzY
/rQjG6xWEawmodydUPd7qZ8LbO0bGpw+euqVd+FDEmHi4ytB1vyZMQ3Zt7gZjbBm
Wxd0x4TSKz0CQ4XuGxXvVx0ZXv3zbOXE2g06UmxijHbCwNZQazAzOw5EVaZiZPvK
4HzxssBskp49xh+8T8Pgmc085ujstW2+b1XiZcqnVhIkOqEynxKhPghP/5ODtY7/
13dkqbVgAfTZ8JU6Q+jTo5bhaoFohnb8XeEg7O8aLf06WpKvorJ+O8XGKICn1tnD
odL5XTa9xX8WMwiI3bQ9SGlucmljaCBNYWhsZXIgPDIyMzY2NTU3K0JpYm8tSm9z
aGlAdXNlcnMubm9yZXBseS5naXRodWIuY29tPokCTgQTAQoAOBYhBGVbtPVs2w4O
RQDPVy6eDhJ+8/KDBQJjm4maAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EC6eDhJ+8/KDKTcP/ja9/nVePimncHGvrT70Ek53qBheSTujurDtNE6mfUOxOgr8
7m/fcZo3j/3FUssN81ijoNthS6HuhE0kyc+jbL1q4cv9oOeqgniV0P2GxlCOLwrJ
k3BjLNA04P8qSXfS1eefyRgr+dtNaOw2ARetOZm3yja34EW8II6p7Bd7DTRoGOAQ
cwi0Xz0AGyz9drLS0vDZ3VJfB0xIUToS/I/PBjUsIg0eD9M2bEOznFHK422CQMJV
r4pdHJgMfzX7XmwqMQP31oz8zNljsLWYZqpMR9Lw3B2XKziaZlptXgwC9uulcojG
lZv1OTXFKudjKmuOgzd9tW0nwMX/XnNGC7rzCpJCi5//8LeqbLxFqHoK8fXGs/9k
U7EBd3srEnGZHp3ROCsEGmNERTTIIN/rWS3lywnQCQ5kyk8HjT3WztfyLuAIiU+q
fiGQvvkehFF31ONa6tA5Xsm/0ch8rFx9ON8K72KY0fHLJ4FMz0rIdUa47GDYKDAr
n8q+drVCGBVSOWqHYhSZ5C/NCtRr6TebGCsxmhsVuqcXpJSM8CqG8f2xYeQeRw54
bGSrCGMB5TlcMUKQ9wmQWHDHa+khobvYrGBtZaHMt/exnBYqwPna88rp1pWyhIqw
bBiCzKPYOUvzW+nUL0ogCVTfq5XKMJAQh1d1FPPbSLIb/0LYSHC4FavvrmJ3uQIN
BF6AWOIBEADUaTuRBlOcwBBZAFYHgXNM22+TdU+JcYVbdn96A0NPJy0z91SLHotM
w8fr9Sbd/g+xhG8byeFDpdEwTz+sH3GN3SjaSRV3CYIueWApiAFC4ybIoR46kcri
DQJWaTL8YtofBQs7GTtmZ/IbKaxRC/nKXalBnUh3nPgWCLUcIu8axmloBfHP9zFz
+Vn37JrClM66V2TLeJp5/C3Sw2lR2Dj13G65LkSAOX+naoL//PWSSmnfiDef2DA6
Ucd3vh2BoTVkmZoDeLkIP93MfDM23I7NRq9rQSptcvYmtdxo3f3IU25sfjYBi+3g
HIWzbFq2SBeGAbWBufcFkj+kvoP4LzxJ63hVhpA0ql3WWgi5eKOeuhtnBSNaejhC
Axq8ktdAFUpyLMjA53bMUnD7Xkb09tMwW0OcUFPxVz3LG7TT8aQSwA46u/nBFIDN
4D5R14OdAysLHcVp536NSApfvzc/E5OCIx+0TPihq+8EnSEyHMvNXA0QLeGcSn8a
CoIjRK9p7IpKknGNCBx/H54rHGWi0XdPZPNbGHGFypualEB2uIRELFFkCquO2DTi
rYnrYM2Xf/u1ahp1vLNGgM1F6L9u+mC6gUUMGmyBklsz1jTGkTB4HmiMDLBDhAQM
/5UPJQhAdxuZwdfyveGxWYBJSSMtGbR+yOfT7NuTEhtBj0WG4h6tPwARAQABiQI2
BBgBCgAgFiEEZVu09WzbDg5FAM9XLp4OEn7z8oMFAl6AWOICGwwACgkQLp4OEn7z
8oOZ1g/+NE9vZSoxB9yw8uLRthjUUScES2wpA4VBVgpcA0QNEqtq5xE82xXUMhIb
1td6E00+lESoXGo66xoIFQdWEMyr0Df6kfFSTgh2FL4DA5NSSQgiM9u4O8yayu2x
AmBQzRz42V3AquVSH7gu/WhwPcYROq+gYaQT7D/l6Mg/mRUfMS/zvkFIsTJktp+q
yvcuf8ybqoCetDbOw6Uo12IjfxqT1pj8gUVrN/ePlI3HXDzOS6bCiYCgRjCU/Ujj
zcXOupKjA4mvN6LCslgwREciZgDE5W31Ghnjd3tT4OL9TSixugRFD67jr7ZsXpcl
ZReF+nbEsTZlKMXKVDnvwgvrVD4BolSj9rBpPcyftcZtFeuBPSVUE1c6pd5Vo7HJ
I+QDHQA32/hk8dDdqrdVHCn24+yZUkpkuzvNovVJINqt/4GgIRUZot0e5MupFuj9
D+Nn90ffKvFe1YjmRkJ1hblHG9Lh2I4LQOjF2qGKRL+CmtgA3NbO4BKLuTEAJnJz
PeR4FOX756R40p9Z7e0XhUqF4D/GvRyfxYhxkMKbIGEXbfgPjcNvVCDJxElBBtMz
mu6lniNOz/rViivD28dWHIro3ScaGsB4vAo2Eq+4VWTUtvoPo0OHbfX8PDbpcTuU
3a3DN3/RD8DQe+Pm5clbVCpDHzKThq9TpHFC0Iozh6d7QY+hQac=
=VeuH
-----END PGP PUBLIC KEY BLOCK-----
53 changes: 53 additions & 0 deletions public_keys/v20.0-current.gpg
View file
Open in desktop
@@ -0,0 +1,53 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGOgNtUBEAC9CnrQYcKeHOVQatup9batI7lOSoXhqnS4v41LmWKt2GgVpiSn
CpWre04UMg+s/oCFto6af97vGxSsGbb2b23mTVHECvUoUBsiM2CMHopvNpMiPG3s
85gIaqQPOyVorET+MgPw96N+Ik/8sevOTb7u6+tUP4wdZcplVXBo5q+3EeK5GDb3
g+WNYbcwZ+x+3jwgphQmryHAXAis4PrdAfuaAXxclN/prJ23245IaAQxWID1Mcxi
ZaT/vZSqDEKbjj3wyzlJBfe5DuAG2IqAqEbWZCYUjjdUrsrGVdjh6Al1CqA+V8px
PYCF+qK6c3M7ilbQSXv9dDjiH1shM7DPrXop657zFandVrmaFVcf7/WLLNSX0KwM
kuYdFXYQXXoptpLsB6edB8Od39l6uETObDDVXiKQdeBypFlkWaqDv2soBY04+o0h
NvQBWT3EPS2zUXGwo7j2pd1Q4j1qC0ceKW64rxF8UqtZXOG2mJrVKeKvbprhq3kF
3+vXHqTgr6ZgjplHkVZmcv31UOBlwGnN+xBi5ooD/brF0rxZ9Pcr0BXdtBhG80V+
q1vxVh9D2K0RFJ7pLaxFdExZoevOwHdtwT411I9VfWdICc3w9KYnH4xSwjoR+Cm2
Jy9aTlft+TkQXfOxWD83QUtu/zE/MYwp2xhHLsJoOTzSLHcRHMOWC4yfrQARAQAB
tG9IaW5yaWNoIE1haGxlciAoS2V5IGZvciBzaWduaW5nIHJlbGVhc2VzIG9mIHB5
dGhvbi10ZWxlZ3JhbS1ib3QpIDwyMjM2NjU1NytCaWJvLUpvc2hpQHVzZXJzLm5v
cmVwbHkuZ2l0aHViLmNvbT6JAk4EEwEKADgWIQRMulGIRwROKJVIvZ+iuYSpBzAi
sgUCY6A21QIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCiuYSpBzAisgG+
EACXEqRSzuMI/Ca4vs9Q0teaUskjDbmb3tpt/vlPtgtWVBxIwixIrBXXt6VF58pc
4PjnmWd0TQVWHXysVtV1JBdFHJPf7CXD1OXAzDYLS3s0gZJ8Y32oG+94FKVtdcjp
M9XV2ip0DZFd0k8ln0bVultFPR441Q7DVpJFctAvICvccC//TkgD0vMWAV+zKD/9
xctkIa1t0ZQ2xHA+NPDTLEGzs9rADwJTK/OOE528mo8ki37RTM7Ou6kGF9Xb+A5P
iaO2FBDp3b6QyprMvaOF2Xgt18h+wembzsXwVwep3OpjZHYsaImoWn6821HmsS7H
MTjR71aG6BrGZTjFtsWNd9Anu2aYfyZgpZZmeTMC6o81x428YEA9Mr7+yAgFAfd7
BTyShNsyP1LcbMpPoYciFPiL9ieMqfNPOpdluV56Xb4W27/EJ39wx+PQPEs/5A2n
RUfKdtJtqxrGGOWtoLORS0pr+s7JS6WP1dfR/VWeTMiVNG506crAvCkN7VvTlpI0
ASqnRvFeu82cgOiP8toZJ/seRDq5JdRy/dV6EMD442mE6si7RUFJ3ShQsAMdukGw
lCDdUfLATJ/rrMCsoaInIbqWBa49OqEKcpOxyR2qR/91wxS1LDhfkmtumGgIxkjj
utt2XKLSaLNaXIPjX19RMqmFntzMrU2Mk+0HD40dd30bTbkCDQRjoDbVARAA1tN/
R2PhQ++bbLCtqeIjmkx/k5nmLK5P52lOu1zR142XVDC1ByZ8FEMzgnU+n660HN2g
62/p7lrMi1I12RuPZJBvalsRfGVx2DtbX06AEEg8bjABXB48uF1xU35gLOt1nhDp
bEinY0Kx4uBQcXlKme83ceyG2vmZvW0C+2JyLFFjwpUvOwzlzjSMkBFdbDzMBL93
A8gTt36WxcA+IbZlEwYte6w8FE5HcEZgGXsYXCvKEEN2wn3scXg+1R8bXOyQeRCo
KqblMDRO6Qsb/QL3a86so7MBWX4VmW+7714kaQYhMC+DKZq5u7yO//UqnEElHrYw
W8T5KGCYTizXcrM+4giAecdeukdPpeLwOmLhKQ1YfwWkHolsruwjg15vW4QE85dV
LRSTdgH1Is6NCqweOMIozH6uIAYz3b1u1r3C9hlgMqFN1oujI12MjOURLtLUtrN/
LeosSZEUgL3T7a1bmO4ykcVvhWvGrcU0HfR/CX5nXMymhkjGk2x47elottK/O3BP
evinQWPSiF+ABH3605KZQB2cWcr0oH1rLMAIwcYtMdCmGJY9we1fRF2lf/BTcoui
nDqsuuIJJpHg9FIIR167fW1tQH0DYbQBvsDCG6jv5pZ7V4Rl8zJ30Am5h1XZzpIk
/3wPvouskdfsEF1CahpzKF/rdtIB5aaynWO0xHkAEQEAAYkCNgQYAQoAIBYhBEy6
UYhHBE4olUi9n6K5hKkHMCKyBQJjoDbVAhsMAAoJEKK5hKkHMCKypCcP/3pvvpP/
axelSKUgdsmU+mcUK4AHWtPXZxJcLoIGhMEOiNOdeX64XhHYGO0gKDvPn1Bv/ygI
ef49+NGAXWZmaSOqXSKfSWaWwQqlGLuqL76Hes5EqTbAlo4qEEbZoWx/x52zbXz6
1fbcH+rU+3dYVFIzvq2UG2t3L6v+PQXoZL20CWxIAWLGjVmnUPV/7/XJJATg2x1J
IEb7iG9h8XLvC4/+whRWG5J48kPRRPE3vy1kgeUtvHCIsvujoFCosAxRhLR62+5x
F4rREUyY2WKAsuymVCJPEKE/g3LoTtn+f78ucECm6MJNhJpZqdjlqib0mGhjWGeR
XPNHL3iEL4wFlU/DRt25GE7YKTHoPFcjet4wWOUdj9OHdV2DHgsgETEAVxaFwH7W
hnPBtyc9TDLsTtJ1NphxofSiehsesNrfX5sneQVBpUclb5HS8vYqJxLC0KLOulNU
emDwYaQdM4chy1QfKHJhj9uSbqRcoUcms59mLINUlTmdwez2Vbmnh8sLYfuz2S0L
7OANYTUOOmwlw9cQJjF2hgtgvn7lRK/zD38nVesHSBU4dmlYISV5/jnByhIDaIdo
Afq07AF3OUKAI2FfAquDjV2P66GS1K2cWEQAAd3wgze3Qlt7xvifGTxHEXXesfP3
toI3+U6jDIfsuoL4ynzcPdz0IsFwu+yX6bxw
=gtS+
-----END PGP PUBLIC KEY BLOCK-----