SIGSUM.md: add release playbook

Updates #617
doc: regenerate groff and html man pages
2026-01-11 14:10:12 +00:00 · 2025-12-31 16:19:37 +01:00 · 2025-12-31 11:05:09 +00:00 · 2025-12-31 12:03:49 +01:00
5 changed files with 26 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -151,7 +151,7 @@ On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.

 ```
 https://dl.filippo.io/age/latest?for=linux/amd64
-https://dl.filippo.io/age/v1.3.0?for=darwin/arm64
+https://dl.filippo.io/age/v1.3.1?for=darwin/arm64
 ...
 ```

--- a/SIGSUM.md
+++ b/SIGSUM.md
@@ -11,13 +11,32 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz2WM5CyPLqiNjk7CLl4roDXwKhQ0QExXLebukZEZFS
 EOF

-curl -JLO "https://dl.filippo.io/age/v1.3.0?for=darwin/arm64"
-curl -JLO "https://dl.filippo.io/age/v1.3.0?for=darwin/arm64&proof"
+curl -JLO "https://dl.filippo.io/age/v1.3.1?for=darwin/arm64"
+curl -JLO "https://dl.filippo.io/age/v1.3.1?for=darwin/arm64&proof"

 go install sigsum.org/sigsum-go/cmd/sigsum-verify@v0.13.1
 sigsum-verify -k age-sigsum-key.pub -P sigsum-generic-2025-1 \
-    age-v1.3.0-darwin-arm64.tar.gz.proof < age-v1.3.0-darwin-arm64.tar.gz
+    age-v1.3.1-darwin-arm64.tar.gz.proof < age-v1.3.1-darwin-arm64.tar.gz
 ```

 You can learn more about what's happening above in the [Sigsum
 docs](https://www.sigsum.org/getting-started/).
+
+### Release playbook
+
+Dear future me, to sign a new release and produce Sigsum proofs, run the following
+
+```
+VERSION=v1.3.1
+go install sigsum.org/sigsum-go/cmd/sigsum-verify@latest
+go install github.com/tillitis/tkey-ssh-agent/cmd/tkey-ssh-agent@latest
+tkey-ssh-agent --agent-socket tkey-ssh-agent.sock --uss
+SSH_AUTH_SOCK=tkey-ssh-agent.sock ssh-add -L > tkey-ssh-agent.pub
+passage other/sigsum-ratelimit > sigsum-ratelimit
+gh release download $VERSION --dir artifacts/
+SSH_AUTH_SOCK=tkey-ssh-agent.sock sigsum-submit -k tkey-ssh-agent.pub -P sigsum-generic-2025-1 -a sigsum-ratelimit -d filippo.io artifacts/*
+gh release upload $VERSION artifacts/*.proof
+```
+
+In the future, we will move to reproducing the artifacts locally, and signing
+those instead of the ones built by GitHub Actions.
--- a/doc/age-keygen.1
+++ b/doc/age-keygen.1
@@ -53,7 +53,7 @@ AGE\-SECRET\-KEY\-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9
 Write a new post\-quantum identity to \fBkey\.txt\fR:
 .IP "" 4
 .nf
-$ age\-keygen \-o key\.txt
+$ age\-keygen \-pq \-o key\.txt
 Public key: age1pq1cd[\|\.\|\.\|\. 1950 more characters \|\.\|\.\|\.]
 .fi
 .IP "" 0
--- a/doc/age-keygen.1.html
+++ b/doc/age-keygen.1.html
@@ -130,7 +130,7 @@ AGE-SECRET-KEY-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9

 <p>Write a new post-quantum identity to <code>key.txt</code>:</p>

-<pre><code>$ age-keygen -o key.txt
+<pre><code>$ age-keygen -pq -o key.txt
 Public key: age1pq1cd[... 1950 more characters ...]
 </code></pre>

--- a/doc/age-keygen.1.ronn
+++ b/doc/age-keygen.1.ronn
@@ -52,7 +52,7 @@ Generate a new traditional identity:

 Write a new post-quantum identity to `key.txt`:

-    $ age-keygen -o key.txt
+    $ age-keygen -pq -o key.txt
    Public key: age1pq1cd[... 1950 more characters ...]

 Convert an identity to a recipient:
Author	SHA1	Message	Date
Filippo Valsorda	0293aca1d7	SIGSUM.md: add release playbook Updates #617	2025-12-31 16:19:37 +01:00
GitHub Actions	e7601d8a67	doc: regenerate groff and html man pages	2025-12-31 11:05:09 +00:00
brettwhiteinc	acfa73142b	doc: fix post-quantum example in age-keygen manpage (#675 )	2025-12-31 12:03:49 +01:00