add publich GPG key that can be used for signing (#884)

#### What this PR does / why we need it add GPG key to verify signed and uploaded releases
open-component-model · Aug 23, 2024 · e46befa · e46befa
1 parent 7c9b25c
commit e46befa
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/.github/config/wordlist.txt b/.github/config/wordlist.txt
@@ -112,6 +112,7 @@ gomega
 goreleaser
 gosec
 goutils
+gpg
 groupid
 gzip
 handleoutput

diff --git a/README.md b/README.md
@@ -141,6 +141,10 @@ An example of how to use the `ocm` CLI in a Makefile can be found in [`examples/
 
 More comprehensive examples can be taken from the [`components`](components) contained in this repository. [Here](components/helmdemo/README.md) a complete component build including a multi-arch image is done and finally packaged into a CTF archive which can be transported into an OCI repository. See the readme files for details.
 
+## GPG Public Key
+
+The authenticity of released packages that have been uploaded to public repositories can be verified using our GPG public key. You can find the key in the file [OCM-RELEASES-PUBLIC.gpg](https://ocm.software/OCM-RELEASES-PUBLIC.gpg) on our website.
+
 ## Contributing
 
 Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the [Contributing Guide in the Community repository](https://github.com/open-component-model/community/blob/main/CONTRIBUTING.md) for more information on how to contribute to OCM.
-Original file line number
+Diff line change
@@ Expand Up / @@ -112,6 +112,7 @@ gomega @@
     goreleaser
     gosec
     goutils
+    gpg
     groupid
     gzip
     handleoutput
@@ Expand Down @@