Re-enable PGP signed releases

90673224 · Nadim Kobeissi · e9923bc9 · 90673224 · 90673224
Verified Commit 90673224 authored Jan 08, 2021 by Nadim Kobeissi 💾
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -32,6 +32,9 @@ archives:
      - README.md
    wrap_in_directory: true

+signs:
+  - artifacts: checksum
+
 changelog:
  skip: false
  sort: asc

--- a/assets/email.txt
+++ b/assets/email.txt
@@ -8,11 +8,18 @@ Verifpal 0VERSION0 is now available. Verifpal updates bring new features, perfor
 1RELEASENOTES1

 -------------------------------
-2. Pre-compiled Releases
+2. PGP-Signed Releases
 -------------------------------
-Pre-compiled release builds are provided for Windows, Linux, macOS and FreeBSD in x86, amd64 and arm64 variants, here:
+Official signed, pre-compiled release builds are provided for Windows, Linux, macOS and FreeBSD in x86, amd64 and arm64 variants, here:
 https://source.symbolic.software/verifpal/verifpal/-/releases/v0VERSION0

+Verifpal releases are signed using the following PGP key:
+https://source.symbolic.software/verifpal/verifpal/-/blob/master/assets/pgp.txt
+
+In order to verify the PGP signature of your downloaded Verifpal release binary, please first verify the signature of the checksum file, verifpal_0VERSION0_checksums.txt, against its signature, verifpal_0VERSION0_checksums.txt.sig. Both files are located in the releases directory linked above.
+
+Once the signature of the checksum file is verified, ensure that the SHA256SUM of your downloaded release archive matches the one listed inside the checksum file for your chosen platform.
+
 -------------------------------
 3. Updating Via Package Manager
 -------------------------------