build: minor style/wording fixes in verify_release

lukpueh · joshuagl · Lukas Puehringer · commit a3d5a37e4323 · 2022-04-27T13:09:48.000+02:00
Co-authored-by: Joshua Lock &lt;jlock@vmware.com&gt;
Signed-off-by: Lukas Puehringer &lt;lukas.puehringer@nyu.edu&gt;
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
@@ -45,8 +45,9 @@ on GitHub
 
 8. Run `verify_release` to make sure the PyPI release artifacts match the local build as
    well. When called as `verify_release --sign [<key id>]` the script additionally
-   creates gpg release signatures. These signature files should be made available on the
-   GitHub release page under Assets.
+   creates gpg release signatures. When signed by maintainers with a corresponding GPG
+   fingerprint in the MAINTAINERS.md file, these signature files should be made available on
+   the GitHub release page under Assets.
 9. Announce the release on [#tuf on CNCF Slack](https://cloud-native.slack.com/archives/C8NMD3QJ3)
 10. Ensure [POUF 1](https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md),
     for the reference implementation, is up-to-date
diff --git a/verify_release b/verify_release
@@ -126,14 +126,14 @@ def sign_release_artifacts(
     version: str, build_dir: str, key_id: str = None
 ) -> None:
     """Sign built release artifacts with gpg and write signature files to cwd"""
-    tar = f"{PYPI_PROJECT}-{version}.tar.gz"
+    sdist = f"{PYPI_PROJECT}-{version}.tar.gz"
     wheel = f"{PYPI_PROJECT}-{version}-py3-none-any.whl"
     cmd = ["gpg", "--detach-sign", "--armor"]
 
     if key_id is not None:
         cmd += ["--local-user", key_id]
 
-    for filename in [tar, wheel]:
+    for filename in [sdist, wheel]:
         artifact_path = os.path.join(build_dir, filename)
         signature_path = f"{filename}.asc"
         subprocess.run(
@@ -216,14 +216,12 @@ def main() -> int:
         if args.sign:
             progress("Signing built release with gpg")
             if success:
-                key_id = None
-                if args.sign is not True:
-                    key_id = args.sign
+                key_id = args.sign if args.sign is not True else None
 
                 sign_release_artifacts(build_version, build_dir, key_id)
                 finished("Created signatures in cwd (see '*.asc' files)")
             else:
-                finished("WARNING: Skip signing of non-matching artifacts")
+                finished("WARNING: Skipped signing of non-matching artifacts")
 
     return 0 if success else 1
 
