Merge pull request #1979 from lukpueh/verify_release-sign

Add option to sign release artifacts with verify_release

Author: Jussi Kukkonen

docs/RELEASE.md

@@ -44,8 +44,11 @@ on GitHub
   *An approval resumes the CD workflow to publish the release on PyPI, and to finalize the
   GitHub release (removes `-rc` suffix and updates release notes).*
 
-8. `verify_release` may be used again to make sure the PyPI release artifacts match the
-   local build as well.
+8. Run `verify_release` to make sure the PyPI release artifacts match the local build as
+   well. When called as `verify_release --sign [<key id>]` the script additionally
+   creates gpg release signatures. When signed by maintainers with a corresponding GPG
+   fingerprint in the MAINTAINERS.md file, these signature files should be made available on
+   the GitHub release page under Assets.
 9. Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3)
 10. Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md),
     for the reference implementation, is up-to-date

verify_release

@@ -122,6 +122,26 @@ def verify_pypi_release(version: str, compare_dir: str) -> bool:
         return sorted(same) == [wheel, tar]
 
 
+def sign_release_artifacts(
+    version: str, build_dir: str, key_id: str = None
+) -> None:
+    """Sign built release artifacts with gpg and write signature files to cwd"""
+    sdist = f"{PYPI_PROJECT}-{version}.tar.gz"
+    wheel = f"{PYPI_PROJECT}-{version}-py3-none-any.whl"
+    cmd = ["gpg", "--detach-sign", "--armor"]
+
+    if key_id is not None:
+        cmd += ["--local-user", key_id]
+
+    for filename in [sdist, wheel]:
+        artifact_path = os.path.join(build_dir, filename)
+        signature_path = f"{filename}.asc"
+        subprocess.run(
+            cmd + ["--output", signature_path, artifact_path], check=True
+        )
+        assert os.path.exists(signature_path)
+
+
 def finished(s: str) -> None:
     # clear line
     sys.stdout.write("\033[K")
@@ -143,6 +163,15 @@ def main() -> int:
         dest="skip_pypi",
         help="Skip PyPI release check.",
     )
+    parser.add_argument(
+        "--sign",
+        nargs="?",
+        const=True,
+        metavar="<key id>",
+        dest="sign",
+        help="Sign release artifacts with 'gpg'. If no <key id> is passed, the default "
+        "signing key is used. Resulting '*.asc' files are written to CWD.",
+    )
     args = parser.parse_args()
 
     success = True
@@ -172,15 +201,27 @@ def main() -> int:
                 # This is expected while build is not reproducible
                 finished("ERROR: PyPI artifacts do not match built release")
                 success = False
+            else:
+                finished("PyPI artifacts match the built release")
 
         progress("Downloading release from GitHub")
         if not verify_github_release(build_version, build_dir):
             # This is expected while build is not reproducible
             finished("ERROR: GitHub artifacts do not match built release")
             success = False
-
-        if success:
-            finished("Github and PyPI artifacts match the built release")
+        else:
+            finished("GitHub artifacts match the built release")
+
+        # NOTE: 'gpg' might prompt for password or ask if it should override files...
+        if args.sign:
+            progress("Signing built release with gpg")
+            if success:
+                key_id = args.sign if args.sign is not True else None
+
+                sign_release_artifacts(build_version, build_dir, key_id)
+                finished("Created signatures in cwd (see '*.asc' files)")
+            else:
+                finished("WARNING: Skipped signing of non-matching artifacts")
 
     return 0 if success else 1