From 0293aca1d732e96b06ac2decb098cc2a6c9a14e5 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Wed, 31 Dec 2025 16:18:32 +0100
Subject: [PATCH] SIGSUM.md: add release playbook

Updates #617
---
 README.md |  2 +-
 SIGSUM.md | 25 ++++++++++++++++++++++---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index acfa797..7242a61 100644
--- a/README.md
+++ b/README.md
@@ -151,7 +151,7 @@ On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.
 
 ```
 https://dl.filippo.io/age/latest?for=linux/amd64
-https://dl.filippo.io/age/v1.3.0?for=darwin/arm64
+https://dl.filippo.io/age/v1.3.1?for=darwin/arm64
 ...
 ```
 
diff --git a/SIGSUM.md b/SIGSUM.md
index d8e984b..c4ce88f 100644
--- a/SIGSUM.md
+++ b/SIGSUM.md
@@ -11,13 +11,32 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz2WM5CyPLqiNjk7CLl4roDXwKhQ0QExXLebukZEZFS
 EOF
 
-curl -JLO "https://dl.filippo.io/age/v1.3.0?for=darwin/arm64"
-curl -JLO "https://dl.filippo.io/age/v1.3.0?for=darwin/arm64&proof"
+curl -JLO "https://dl.filippo.io/age/v1.3.1?for=darwin/arm64"
+curl -JLO "https://dl.filippo.io/age/v1.3.1?for=darwin/arm64&proof"
 
 go install sigsum.org/sigsum-go/cmd/sigsum-verify@v0.13.1
 sigsum-verify -k age-sigsum-key.pub -P sigsum-generic-2025-1 \
-    age-v1.3.0-darwin-arm64.tar.gz.proof < age-v1.3.0-darwin-arm64.tar.gz
+    age-v1.3.1-darwin-arm64.tar.gz.proof < age-v1.3.1-darwin-arm64.tar.gz
 ```
 
 You can learn more about what's happening above in the [Sigsum
 docs](https://www.sigsum.org/getting-started/).
+
+### Release playbook
+
+Dear future me, to sign a new release and produce Sigsum proofs, run the following
+
+```
+VERSION=v1.3.1
+go install sigsum.org/sigsum-go/cmd/sigsum-verify@latest
+go install github.com/tillitis/tkey-ssh-agent/cmd/tkey-ssh-agent@latest
+tkey-ssh-agent --agent-socket tkey-ssh-agent.sock --uss
+SSH_AUTH_SOCK=tkey-ssh-agent.sock ssh-add -L > tkey-ssh-agent.pub
+passage other/sigsum-ratelimit > sigsum-ratelimit
+gh release download $VERSION --dir artifacts/
+SSH_AUTH_SOCK=tkey-ssh-agent.sock sigsum-submit -k tkey-ssh-agent.pub -P sigsum-generic-2025-1 -a sigsum-ratelimit -d filippo.io artifacts/*
+gh release upload $VERSION artifacts/*.proof
+```
+
+In the future, we will move to reproducing the artifacts locally, and signing
+those instead of the ones built by GitHub Actions.