From 894431a9f2fe62fcd973fd55b56ad461eda471ff Mon Sep 17 00:00:00 2001
From: Gijs van Dam <gijs@lightning.engineering>
Date: Wed, 4 Dec 2024 18:08:27 +0100
Subject: [PATCH] CI: update release notes template re timestamps

The release notes template has been updated to improve the paragraph on
timestamps. It now correctly specifies both ots artifacts and how to use
them to verify the timestamps of the manifest and its signature.

Secondly, the template now explains how the timestamp of the _git tag_
can be verified by using the OpenTimestamps git wrapper.
---
 .github/workflows/release.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index ca57eab66..3e4ce713b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,7 +29,7 @@ jobs:
         run: |
           expected_tag=$(./scripts/get-git-tag-name.sh version.go)
           actual_tag=${{ env.RELEASE_VERSION }}
-          
+
           if [ "$actual_tag" = "$expected_tag" ]; then
             echo "Git tag release string is as expected."
           else
@@ -87,14 +87,17 @@ jobs:
 
             ## Verifying the Release Timestamp 
 
-            From this new version onwards, in addition time-stamping the _git tag_ with [OpenTimestamps](https://opentimestamps.org/), we'll also now timestamp the manifest file along with its signature. Two new files are now included along with the rest of our release artifacts: ` manifest-roasbeef-${{ env.RELEASE_VERSION }}.txt.asc.ots`.
+            In addition to time-stamping the _git tag_ with [OpenTimestamps](https://opentimestamps.org/), we also timestamp the manifest file along with its signature. Two files are included in our release artifacts: `manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig.ots` and `manifest-${{ env.RELEASE_VERSION }}.txt.ots`.
 
             Assuming you have the opentimestamps client installed locally, the timestamps can be verified with the following commands: 
             ```
             ots verify manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig.ots -f manifest-roasbeef-${{ env.RELEASE_VERSION }}.sig
+            ots verify manifest-${{ env.RELEASE_VERSION }}.txt.ots -f manifest-${{ env.RELEASE_VERSION }}.txt
             ```
 
-            Alternatively, [the OpenTimestamps website](https://opentimestamps.org/) can be used to verify timestamps if one doesn't have a `bitcoind` instance accessible locally.
+            Alternatively, [the OpenTimestamps website](https://opentimestamps.org/) can be used to verify these timestamps if one doesn't have a `bitcoind` instance accessible locally.
+
+            Assuming you are using the [OpenTimestamps `ots-git-gpg-wrapper`](https://github.com/opentimestamps/opentimestamps-client/blob/master/doc/git-integration.md#usage) you can verify the timestamp of the _git tag_ by  verifying the tag as explained in _Verifying the Release Binaries_.
 
             These timestamps should give users confidence in the integrity of this release even after the key that signed the release expires.