From 6e43bcb532bbb5e64f071b9ab4394d40bf44383a Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 11:29:41 +0200 Subject: [PATCH 01/17] Update readme section on verification --- README.rst | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/README.rst b/README.rst index d58e814c391..cb04cd9db37 100644 --- a/README.rst +++ b/README.rst @@ -104,15 +104,19 @@ You can also install ``python-telegram-bot`` from source, though this is usually Verifying Releases ------------------ -We sign all the releases with a GPG key. -The signatures are uploaded to both the `GitHub releases page `_ and the `PyPI project `_ and end with a suffix ``.asc``. +To enable you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team, we have taken the following measures. + +Starting with NEXT.VERSION, all releases are signed via `sigstore `_. +The corresponding signature files are uploaded to both the `GitHub releases page`_. +To verify the signature, please install the `sigstore Python client `_ and follow the instructions for `verifying signatures from GitHub Actions `_. + +Earlier releases are signed with a GPG key. +The signatures are uploaded to both the `GitHub releases page`_ and the `PyPI project `_ and end with a suffix ``.asc``. Please find the public keys `here `_. -The keys are named in the format ``-.gpg`` or ``-current.gpg`` if the key is currently being used for new releases. +The keys are named in the format ``-.gpg``. In addition, the GitHub release page also contains the sha1 hashes of the release files in the files with the suffix ``.sha1``. -This allows you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team. - Dependencies & Their Versions ----------------------------- @@ -209,3 +213,5 @@ License You may copy, distribute and modify the software provided that modifications are described and licensed for free under `LGPL-3 `_. Derivatives works (including modifications or anything statically linked to the library) can only be redistributed under LGPL-3, but applications that use the library don't have to be. + +.. _`GitHub releases page`: https://github.com/python-telegram-bot/python-telegram-bot/releases> \ No newline at end of file From fb2def29aa51c170ba33b5e1247feeb7b6df2c15 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:35:55 +0200 Subject: [PATCH 02/17] Add a workflow for publishing to (Test) Pypi --- .github/workflows/release_pypi.yml | 193 +++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 .github/workflows/release_pypi.yml diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml new file mode 100644 index 00000000000..7b062a855cc --- /dev/null +++ b/.github/workflows/release_pypi.yml @@ -0,0 +1,193 @@ +name: Publish to PyPI + +on: + # Run on any tag + push: + tags: + - '**' + # manually trigger the workflow - for testing only + workflow_dispatch: + +jobs: + build: + name: Build Distribution + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.x" + - name: Install pypa/build + run: >- + python3 -m pip install build --user + - name: Build a binary wheel and a source tarball + run: python3 -m build + - name: Store the distribution packages + uses: actions/upload-artifact@v3 + with: + name: python-package-distributions + path: dist/ + + publish-to-pypi: + name: Publish to PyPI + # only publish to PyPI on tag pushes + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + needs: + - build + runs-on: ubuntu-latest + environment: + name: release_pypi + url: https://pypi.org/p/python-telegram-bot + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions + path: dist/ + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + + publish-to-test-pypi: + name: Publish to Test PyPI + needs: + - build + runs-on: ubuntu-latest + environment: + name: release_test_pypi + url: https://test.pypi.org/p/python-telegram-bot + permissions: + id-token: write # IMPORTANT: mandatory for trusted publishing + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions + path: dist/ + - name: Publish to Test PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + repository-url: https://test.pypi.org/legacy/ + + compute-signatures: + name: Compute SHA1 Sums and Sign with Sigstore + runs-on: ubuntu-latest + needs: + - publish-to-pypi + - publish-to-test-pypi + if: + # run if either of the publishing jobs ran successfully + # see also: + # https://github.com/actions/runner/issues/491#issuecomment-850884422 + always() && ( + needs.publish-to-pypi.outcome == 'success' || + needs.publish-to-test-pypi.outcome == 'success' + ) + + permissions: + id-token: write # IMPORTANT: mandatory for sigstore + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions + path: dist/ + - name: Compute SHA1 Sums + run: | + # Compute SHA1 sum of the distribution packages and save it to a file with the same name, + # but with .sha1 extension + for file in dist/*; do + sha1sum $file > $file.sha1 + done + - name: Sign the dists with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: >- + ./dist/*.tar.gz + ./dist/*.whl + - name: Store the distribution packages and signatures + uses: actions/upload-artifact@v3 + with: + name: python-package-distributions-and-signatures + path: dist/ + + github-release: + name: Upload to GitHub Release + needs: + - publish-to-pypi + - compute-signatures + runs-on: ubuntu-latest + + permissions: + contents: write # IMPORTANT: mandatory for making GitHub Releases + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions-and-signatures + path: dist/ + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Create a GitHub Release for this tag. The description can be changed later, as for now + # we don't define it through this workflow. + run: >- + gh release create + '${{ github.ref_name }}' + --repo '${{ github.repository }}' + --generate-notes + - name: Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. + # `dist/` contains the built packages, and the + # sigstore-produced signatures and certificates. + run: >- + gh release upload + '${{ github.ref_name }}' dist/** + --repo '${{ github.repository }}' + + github-test-release: + name: Upload to GitHub Release Draft + needs: + - publish-to-test-pypi + - compute-signatures + runs-on: ubuntu-latest + + permissions: + contents: write # IMPORTANT: mandatory for making GitHub Releases + + steps: + - name: Download all the dists + uses: actions/download-artifact@v3 + with: + name: python-package-distributions-and-signatures + path: dist/ + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Create a GitHub Release *draft*. The description can be changed later, as for now + # we don't define it through this workflow. + run: >- + gh release create + '${{ github.ref_name }}' + --repo '${{ github.repository }}' + --generate-notes + --draft + - name: Upload artifact signatures to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. + # `dist/` contains the built packages, and the + # sigstore-produced signatures and certificates. + run: >- + gh release upload + '${{ github.ref_name }}' dist/** + --repo '${{ github.repository }}' From bb14a65e8b2b181303c67daf1db8584c47c57019 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:37:51 +0200 Subject: [PATCH 03/17] Temporarily use random version numbers to enable multiple testpypi uploads --- telegram/_version.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/telegram/_version.py b/telegram/_version.py index 557a1ab9022..5152fcefadf 100644 --- a/telegram/_version.py +++ b/telegram/_version.py @@ -17,6 +17,7 @@ # You should have received a copy of the GNU Lesser Public License # along with this program. If not, see [http://www.gnu.org/licenses/]. # pylint: disable=missing-module-docstring +import random from typing import Final, NamedTuple __all__ = ("__version__", "__version_info__") @@ -51,6 +52,6 @@ def __str__(self) -> str: __version_info__: Final[Version] = Version( - major=21, minor=3, micro=0, releaselevel="final", serial=0 + major=21, minor=4, micro=0, releaselevel="alpha", serial=random.randint(0, 9999) ) __version__: Final[str] = str(__version_info__) From 0bcc2cacdb14238978c7479daf891110a081b59d Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:44:15 +0200 Subject: [PATCH 04/17] temporarily run on pushes to this branch --- .github/workflows/release_pypi.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index 7b062a855cc..be0cb48c1b6 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -1,10 +1,13 @@ -name: Publish to PyPI +name: Publish to PyPI and GitHub Releases on: - # Run on any tag push: + # Run on any new tag tags: - '**' + # run on the initial dev branch for testing only + branches: + - automate-pypi # manually trigger the workflow - for testing only workflow_dispatch: From f2a2929c06aafb59b708fcde8bfbb758abcb42df Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:51:43 +0200 Subject: [PATCH 05/17] Try fixing the condition for compute-signatures --- .github/workflows/release_pypi.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index be0cb48c1b6..1d30c3ed917 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -83,13 +83,13 @@ jobs: needs: - publish-to-pypi - publish-to-test-pypi - if: - # run if either of the publishing jobs ran successfully - # see also: - # https://github.com/actions/runner/issues/491#issuecomment-850884422 + # run if either of the publishing jobs ran successfully + # see also: + # https://github.com/actions/runner/issues/491#issuecomment-850884422 + if: | always() && ( - needs.publish-to-pypi.outcome == 'success' || - needs.publish-to-test-pypi.outcome == 'success' + (needs.publish-to-pypi.outcome == 'success') || + (needs.publish-to-test-pypi.outcome == 'success') ) permissions: From 403d76e6d1f0e32a8e16bccf9d694a53c8a5e2e1 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 12:58:03 +0200 Subject: [PATCH 06/17] Try fixing the condition for compute-signatures - again --- .github/workflows/release_pypi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index 1d30c3ed917..f0711df981d 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -88,8 +88,8 @@ jobs: # https://github.com/actions/runner/issues/491#issuecomment-850884422 if: | always() && ( - (needs.publish-to-pypi.outcome == 'success') || - (needs.publish-to-test-pypi.outcome == 'success') + (needs.publish-to-pypi.result == 'success') || + (needs.publish-to-test-pypi.result == 'success') ) permissions: From 7f50a286b96b04ef55452f689df98bd62cfc241b Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:00:31 +0200 Subject: [PATCH 07/17] update upload artifact version --- .github/workflows/release_pypi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index f0711df981d..1e425dc3008 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -28,7 +28,7 @@ jobs: - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-package-distributions path: dist/ @@ -115,7 +115,7 @@ jobs: ./dist/*.tar.gz ./dist/*.whl - name: Store the distribution packages and signatures - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: python-package-distributions-and-signatures path: dist/ From bc92636110c01bd5b5ac740d943351c693572a4b Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:01:25 +0200 Subject: [PATCH 08/17] update download artifact version --- .github/workflows/release_pypi.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index 1e425dc3008..f41d8644da8 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-package-distributions path: dist/ @@ -68,7 +68,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-package-distributions path: dist/ @@ -97,7 +97,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-package-distributions path: dist/ @@ -132,7 +132,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-package-distributions-and-signatures path: dist/ @@ -169,7 +169,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: python-package-distributions-and-signatures path: dist/ From f33b6b1222c7c0cfd8f28bbe9b9dee6aa1070506 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:14:45 +0200 Subject: [PATCH 09/17] try getting the github release step to run --- .github/workflows/release_pypi.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index f41d8644da8..fb1b15ac5fd 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -125,6 +125,9 @@ jobs: needs: - publish-to-pypi - compute-signatures + if: | + always() && (join(needs.*.result, '-') == 'success-success') + runs-on: ubuntu-latest permissions: @@ -162,6 +165,8 @@ jobs: needs: - publish-to-test-pypi - compute-signatures + if: | + always() && (join(needs.*.result, '-') == 'success-success') runs-on: ubuntu-latest permissions: From 7980ffe42a50ca5227ac3bc9e8eb03d131cbc60b Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 17:44:20 +0200 Subject: [PATCH 10/17] add some debug prints --- .github/workflows/release_pypi.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index fb1b15ac5fd..025416c8791 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -166,13 +166,19 @@ jobs: - publish-to-test-pypi - compute-signatures if: | - always() && (join(needs.*.result, '-') == 'success-success') + always() runs-on: ubuntu-latest permissions: contents: write # IMPORTANT: mandatory for making GitHub Releases steps: + - name: Debug prints + run: | + echo "needs.publish-to-test-pypi.result: ${{ needs.publish-to-test-pypi.result }}" + echo "needs.compute-signatures.result: ${{ needs.compute-signatures.result }}" + echo "join: ${{ (join(needs.*.result, '-')) }}" + echo "join-eq: ${{ (join(needs.*.result, '-') == 'success-success') }}" - name: Download all the dists uses: actions/download-artifact@v4 with: From b58ae39ca95f966a6d0ab12adea014187cffd09d Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 17:58:35 +0200 Subject: [PATCH 11/17] do another test run --- .github/workflows/release_pypi.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index 025416c8791..bf5fcb9b19a 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -166,7 +166,10 @@ jobs: - publish-to-test-pypi - compute-signatures if: | - always() + always() && ( + (needs.publish-to-test-pypi.result == 'success') && + (needs.compute-signatures.result == 'success') + ) runs-on: ubuntu-latest permissions: From 433ca79e4127b9854f32550832adc46d9fec99ee Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:14:04 +0200 Subject: [PATCH 12/17] remove debug prints & adjust conditions for gh releases --- .github/workflows/release_pypi.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index bf5fcb9b19a..aff0916e1fc 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -126,7 +126,10 @@ jobs: - publish-to-pypi - compute-signatures if: | - always() && (join(needs.*.result, '-') == 'success-success') + always() && ( + (needs.publish-to-pypi.result == 'success') && + (needs.compute-signatures.result == 'success') + ) runs-on: ubuntu-latest @@ -176,12 +179,6 @@ jobs: contents: write # IMPORTANT: mandatory for making GitHub Releases steps: - - name: Debug prints - run: | - echo "needs.publish-to-test-pypi.result: ${{ needs.publish-to-test-pypi.result }}" - echo "needs.compute-signatures.result: ${{ needs.compute-signatures.result }}" - echo "join: ${{ (join(needs.*.result, '-')) }}" - echo "join-eq: ${{ (join(needs.*.result, '-') == 'success-success') }}" - name: Download all the dists uses: actions/download-artifact@v4 with: From 510d3a8237127e96c78208f9d4aac1978c8ade02 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:14:37 +0200 Subject: [PATCH 13/17] Revert "Temporarily use random version numbers to enable multiple testpypi uploads" This reverts commit bb14a65e8b2b181303c67daf1db8584c47c57019. --- telegram/_version.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/telegram/_version.py b/telegram/_version.py index 5152fcefadf..557a1ab9022 100644 --- a/telegram/_version.py +++ b/telegram/_version.py @@ -17,7 +17,6 @@ # You should have received a copy of the GNU Lesser Public License # along with this program. If not, see [http://www.gnu.org/licenses/]. # pylint: disable=missing-module-docstring -import random from typing import Final, NamedTuple __all__ = ("__version__", "__version_info__") @@ -52,6 +51,6 @@ def __str__(self) -> str: __version_info__: Final[Version] = Version( - major=21, minor=4, micro=0, releaselevel="alpha", serial=random.randint(0, 9999) + major=21, minor=3, micro=0, releaselevel="final", serial=0 ) __version__: Final[str] = str(__version_info__) From 0b599ca6380311f57f1f0d9f79071fddae5b5d64 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:15:03 +0200 Subject: [PATCH 14/17] Revert "temporarily run on pushes to this branch" This reverts commit 0bcc2cacdb14238978c7479daf891110a081b59d. --- .github/workflows/release_pypi.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index aff0916e1fc..bcd1794c468 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -1,13 +1,10 @@ -name: Publish to PyPI and GitHub Releases +name: Publish to PyPI on: + # Run on any tag push: - # Run on any new tag tags: - '**' - # run on the initial dev branch for testing only - branches: - - automate-pypi # manually trigger the workflow - for testing only workflow_dispatch: From 7d8738f60946454f6c0e6c23c03910ca9cf82420 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Tue, 9 Jul 2024 18:27:14 +0200 Subject: [PATCH 15/17] Slightly extend info on sigstore --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index cb04cd9db37..b5be0cb9f66 100644 --- a/README.rst +++ b/README.rst @@ -108,7 +108,7 @@ To enable you to verify that a release file that you downloaded was indeed provi Starting with NEXT.VERSION, all releases are signed via `sigstore `_. The corresponding signature files are uploaded to both the `GitHub releases page`_. -To verify the signature, please install the `sigstore Python client `_ and follow the instructions for `verifying signatures from GitHub Actions `_. +To verify the signature, please install the `sigstore Python client `_ and follow the instructions for `verifying signatures from GitHub Actions `_. As input for the ``--repository`` parameter, please use the value ``python-telegram-bot/python-telegram-bot``. Earlier releases are signed with a GPG key. The signatures are uploaded to both the `GitHub releases page`_ and the `PyPI project `_ and end with a suffix ``.asc``. From 5aa3b64b32580a7b7e9b1323ea2d038e4d614dfd Mon Sep 17 00:00:00 2001 From: Bibo-Joshi <22366557+Bibo-Joshi@users.noreply.github.com> Date: Wed, 10 Jul 2024 12:50:29 +0200 Subject: [PATCH 16/17] typo --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index b5be0cb9f66..8ed2cc34ab6 100644 --- a/README.rst +++ b/README.rst @@ -107,7 +107,7 @@ Verifying Releases To enable you to verify that a release file that you downloaded was indeed provided by the ``python-telegram-bot`` team, we have taken the following measures. Starting with NEXT.VERSION, all releases are signed via `sigstore `_. -The corresponding signature files are uploaded to both the `GitHub releases page`_. +The corresponding signature files are uploaded to the `GitHub releases page`_. To verify the signature, please install the `sigstore Python client `_ and follow the instructions for `verifying signatures from GitHub Actions `_. As input for the ``--repository`` parameter, please use the value ``python-telegram-bot/python-telegram-bot``. Earlier releases are signed with a GPG key. From 8ff2231be431c8e30ddfaf130c0b5ad66fac8b42 Mon Sep 17 00:00:00 2001 From: Hinrich Mahler <22366557+Bibo-Joshi@users.noreply.github.com> Date: Fri, 12 Jul 2024 16:38:18 +0200 Subject: [PATCH 17/17] update name of gpg key --- public_keys/{v20.0-current.gpg => v20.0-v21.3.gpg} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename public_keys/{v20.0-current.gpg => v20.0-v21.3.gpg} (100%) diff --git a/public_keys/v20.0-current.gpg b/public_keys/v20.0-v21.3.gpg similarity index 100% rename from public_keys/v20.0-current.gpg rename to public_keys/v20.0-v21.3.gpg