- We sign all the releases with a GPG key.
- The signatures are uploaded to both the GitHub
- releases page and the PyPI
- project and end with a suffix .asc.
- Please find the public keys below.
- The keys are named in the format
- <first_version>-<last_version>.gpg or <first_version>-current.gpg
- if the key is currently being used for new releases.
-
- In addition, the GitHub release page also contains the sha1 hashes of the release files
- in the files with the suffix .sha1.
-
- This allows you to verify that a release file that you downloaded was indeed provided by
- the python-telegram-bot team.
-
+ To enable you to verify that a release file that you downloaded was indeed provided by
+ the python-telegram-bot team, we have taken the following measures.
+
+ Starting with v21.4, all releases are signed via sigstore.
+ The corresponding signature files are uploaded to the GitHub
+ releases page.
+ To verify the signature, please install the sigstore Python client and follow the
+ instructions for verifying
+ signatures from GitHub Actions. As input for the --repository
+ parameter, please use the value python-telegram-bot/python-telegram-bot.
+
+ Earlier releases are signed with a GPG key.
+ The signatures are uploaded to both the GitHub
+ releases page
+ and the PyPI project and end
+ with a suffix .asc.
+ Please find the public keys below or here.
+ The keys are named in the format
+ <first_version>-<last_version>.gpg.
+
+ In addition, the GitHub release page also contains the sha1 hashes of the release files
+ in the files with the suffix .sha1.
+
-----BEGIN PGP PUBLIC KEY BLOCK-----