Add the public key directly on our website.

And refer it from the various release pages. Also: - Adds the sig file to the release candidate page - Fix a typo -- MOS_MIGRATED_REVID=135793241
author: Damien Martin-Guillerez <dmarting@google.com> 2016-10-11 14:17:28 +0000
committer: Yue Gan <yueg@google.com> 2016-10-12 08:54:58 +0000
commit: 671045b8fd9cc53d208af6eb38dab5c1fb543545 (patch)
tree: bf57d7d69052699184f78951ceceb28cda21f47d /scripts
parent: 3d8ae22bcdf42855da3d625465611c33fe257326 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/scripts/ci/build.sh b/scripts/ci/build.sh
index ad3fae4a1d..fb2a092f17 100755
--- a/scripts/ci/build.sh
+++ b/scripts/ci/build.sh
@@ -221,7 +221,11 @@ function release_to_github() {
 
 _Notice_: Bazel installers contain binaries licensed under the GPLv2 with
 Classpath exception. Those installers should always be redistributed along with
-the source code."
+the source code.
+
+_Security_: All our binaries are signed with our
+[public key](https://bazel.io/bazel-release.pub.gpg).
+"
 
   if [ ! -x "${release_tool}" ]; then
     echo "Please set GITHUB_RELEASE to the path to the github-release binary." >&2
@@ -248,9 +252,13 @@ function create_index_md() {
   echo
   echo "## Index of files"
   echo
+  # Security notice
+  echo "_Security_: All our binaries are signed with our"
+  echo "[public key](https://bazel.io/bazel-release.pub.gpg)."
+  echo
   for f in $1/*.sha256; do  # just list the sha256 ones
     local filename=$(basename $f .sha256);
-    echo " - [${filename}](${filename}) [[SHA-256](${filename}.sha256)]"
+    echo " - [${filename}](${filename}) [[SHA-256](${filename}.sha256)] [[SIG](${filename}.sig)]"
   done
 }
author	Damien Martin-Guillerez <dmarting@google.com>	2016-10-11 14:17:28 +0000
committer	Yue Gan <yueg@google.com>	2016-10-12 08:54:58 +0000
commit	671045b8fd9cc53d208af6eb38dab5c1fb543545 (patch)
tree	bf57d7d69052699184f78951ceceb28cda21f47d /scripts
parent	3d8ae22bcdf42855da3d625465611c33fe257326 (diff)