release: add runc.keyring file and script

In order to allow any of the maintainers to cut releases for runc,
create a keyring file that distributions can use to verify that releases
are signed by one of the maintainers.

The format matches the gpg-offline format used by openSUSE packaging,
but it can be easily imported with "gpg --import" so any distribution
should be able to handle this keyring format wtihout issues.

Each key includes the GitHub handle of the associated user. There isn't
any way for this information to be automatically verified (outside of
using something like keybase.io) but since all changes of this file need
to be approved by maintainers this is okay for now.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2023-04-07 11:23:22 +10:00
parent 11983894a8
commit 872149470b
3 changed files with 39 additions and 0 deletions
+2
View File
@@ -15,6 +15,8 @@
You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
All releases are signed by one of the keys listed in the [`runc.keyring` file in the root of this repository](runc.keyring).
## Security
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).