From 9b793ce5937bfeddfde8559f2be1d3bfb7c1714c Mon Sep 17 00:00:00 2001
From: Tim Ruffing <me@real-or-random.org>
Date: Tue, 22 Jul 2025 11:42:53 +0200
Subject: [PATCH 1/4] release-process: Refactor

---
 doc/release-process.md | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/doc/release-process.md b/doc/release-process.md
index a64bae0f0d..fcdfd61a26 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -15,6 +15,7 @@ This process also assumes that there will be no minor releases for old major rel
 We aim to cut a regular release every 3-4 months, approximately twice as frequent as major Bitcoin Core releases. Every second release should be published one month before the feature freeze of the next major Bitcoin Core release, allowing sufficient time to update the library in Core.
 
 ## Sanity checks
+
 Perform these checks when reviewing the release PR (see below):
 
 1. Ensure `make distcheck` doesn't fail.
@@ -39,7 +40,9 @@ Perform these checks when reviewing the release PR (see below):
    tools/check-abi.sh
    ```
 
-## Regular release
+## Preparing and tagging a release
+
+### Regular release
 
 1. Open a PR to the master branch with a commit (using message `"release: prepare for $MAJOR.$MINOR.$PATCH"`, for example) that
    * finalizes the release notes in [CHANGELOG.md](../CHANGELOG.md) by
@@ -64,10 +67,8 @@ Perform these checks when reviewing the release PR (see below):
    * adds an `[Unreleased]` section header to the [CHANGELOG.md](../CHANGELOG.md).
 
    If other maintainers are not present to approve the PR, it can be merged without ACKs.
-5. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
-6. Send an announcement email to the bitcoin-dev mailing list.
 
-## Maintenance release
+### Maintenance release
 
 Note that bug fixes need to be backported only to releases for which no compatible release without the bug exists.
 
@@ -89,6 +90,9 @@ Note that bug fixes need to be backported only to releases for which no compatib
    git tag -s v$MAJOR.$MINOR.$PATCH -m "libsecp256k1 $MAJOR.$MINOR.$PATCH"
    git push git@github.com:bitcoin-core/secp256k1.git v$MAJOR.$MINOR.$PATCH
    ```
-6. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
-7. Send an announcement email to the bitcoin-dev mailing list.
-8. Open PR to the master branch that includes a commit (with commit message `"release notes: add $MAJOR.$MINOR.$PATCH"`, for example) that adds release notes to [CHANGELOG.md](../CHANGELOG.md).
+5. Open PR to the master branch that includes a commit (with commit message `"release notes: add $MAJOR.$MINOR.$PATCH"`, for example) that adds release notes to [CHANGELOG.md](../CHANGELOG.md).
+
+## Announcing the release
+
+1. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
+2. Send an announcement email to the bitcoin-dev mailing list.

From ba25edbbe6baee15697fdd1f1747ea1fb1ff69a4 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <me@real-or-random.org>
Date: Tue, 22 Jul 2025 11:55:22 +0200
Subject: [PATCH 2/4] release-process: Add signing of tarball

Resolves #1175.
---
 doc/release-process.md | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/doc/release-process.md b/doc/release-process.md
index fcdfd61a26..34d835f124 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -42,6 +42,9 @@ Perform these checks when reviewing the release PR (see below):
 
 ## Preparing and tagging a release
 
+If you're going to sign the release, make sure that your default GPG signing key is the [expected one](../SECURITY.md).
+You can see your default key by running `echo "test" | gpg --sign --verbose > /dev/null`.
+
 ### Regular release
 
 1. Open a PR to the master branch with a commit (using message `"release: prepare for $MAJOR.$MINOR.$PATCH"`, for example) that
@@ -92,7 +95,14 @@ Note that bug fixes need to be backported only to releases for which no compatib
    ```
 5. Open PR to the master branch that includes a commit (with commit message `"release notes: add $MAJOR.$MINOR.$PATCH"`, for example) that adds release notes to [CHANGELOG.md](../CHANGELOG.md).
 
-## Announcing the release
-
-1. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
-2. Send an announcement email to the bitcoin-dev mailing list.
+## Creating a tarball and announcing the release
+
+1. Create a tarball and a detached GPG signature covering it, and check that the signature verifies under the expected key.
+     ```
+     git archive --output "libsecp256k1-$MAJOR.$MINOR.$PATCH.tar.gz" --prefix "libsecp256k1-$MAJOR.$MINOR.$PATCH/" v$MAJOR.$MINOR.$PATCH
+     gpg --detach-sign "libsecp256k1-$MAJOR.$MINOR.$PATCH.tar.gz"
+     gpg --verify "libsecp256k1-$MAJOR.$MINOR.$PATCH.tar.gz.sig"
+     ```
+2. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
+   Attach the tarball and the detached signature.
+3. Send an announcement email to the bitcoin-dev mailing list.

From 8f9530357bf856afa95e0171ed5cbd555c4d1716 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <me@real-or-random.org>
Date: Tue, 22 Jul 2025 11:57:14 +0200
Subject: [PATCH 3/4] release-process: Fix nits

---
 doc/release-process.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/release-process.md b/doc/release-process.md
index 34d835f124..49c21b5a8f 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -58,7 +58,7 @@ You can see your default key by running `echo "test" | gpg --sign --verbose > /d
        * updates `_PKG_VERSION_*` and `_LIB_VERSION_*`  in `configure.ac`, and
        * updates `project(libsecp256k1 VERSION ...)` and `${PROJECT_NAME}_LIB_VERSION_*` in `CMakeLists.txt`.
 2. Perform the [sanity checks](#sanity-checks) on the PR branch.
-3. After the PR is merged, tag the commit, and push the tag:
+3. After the PR has been merged, tag the commit, and push the tag:
    ```
    RELEASE_COMMIT=<merge commit of step 1>
    git tag -s v$MAJOR.$MINOR.$PATCH -m "libsecp256k1 $MAJOR.$MINOR.$PATCH" $RELEASE_COMMIT
@@ -87,13 +87,14 @@ Note that bug fixes need to be backported only to releases for which no compatib
      and the `$PATCH` component of `project(libsecp256k1 VERSION ...)` and `${PROJECT_NAME}_LIB_VERSION_REVISION` in `CMakeLists.txt`
      (with commit message `"release: bump versions for $MAJOR.$MINOR.$PATCH"`, for example).
 3. Perform the [sanity checks](#sanity-checks) on the PR branch.
-4. After the PRs are merged, update the release branch, tag the commit, and push the tag:
+4. After the PR has been merged, update the release branch, tag the commit, and push the tag:
    ```
    git checkout $MAJOR.$MINOR && git pull
    git tag -s v$MAJOR.$MINOR.$PATCH -m "libsecp256k1 $MAJOR.$MINOR.$PATCH"
    git push git@github.com:bitcoin-core/secp256k1.git v$MAJOR.$MINOR.$PATCH
    ```
-5. Open PR to the master branch that includes a commit (with commit message `"release notes: add $MAJOR.$MINOR.$PATCH"`, for example) that adds release notes to [CHANGELOG.md](../CHANGELOG.md).
+5. Open a PR to the master branch that includes a commit (with commit message `"release notes: add $MAJOR.$MINOR.$PATCH"`, for example) that adds release notes to [CHANGELOG.md](../CHANGELOG.md).
+6. Get the PR merged to ensure that the [CHANGELOG.md](../CHANGELOG.md) file on the master branch is current before announcing the release.
 
 ## Creating a tarball and announcing the release
 

From e6aa166c081b55b1cab71de092fb43b8a93c83d8 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <me@real-or-random.org>
Date: Tue, 22 Jul 2025 12:02:21 +0200
Subject: [PATCH 4/4] release-process: Add "cleaning up"

---
 doc/release-process.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/release-process.md b/doc/release-process.md
index 49c21b5a8f..c1ddef1a0e 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -107,3 +107,9 @@ Note that bug fixes need to be backported only to releases for which no compatib
 2. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
    Attach the tarball and the detached signature.
 3. Send an announcement email to the bitcoin-dev mailing list.
+
+
+## Cleaning up
+
+1. Close the GitHub milestone, and create a new one. Consider moving unresolved issues to the new milestone.
+2. Remove the `needs-changelog` label from all merged PRs.