From e274fd4161b0be8d26e8170c478fd1f211b706d1 Mon Sep 17 00:00:00 2001
From: Shelikhoo <xiaokangwang@outlook.com>
Date: Sat, 4 May 2024 12:33:04 +0100
Subject: [PATCH] add intro for release signing and release archive

---
 docs/en_US/developer/intro/releasearchive.md |  7 ++++++
 docs/en_US/developer/intro/releasesigning.md | 23 ++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 docs/en_US/developer/intro/releasearchive.md
 create mode 100644 docs/en_US/developer/intro/releasesigning.md

diff --git a/docs/en_US/developer/intro/releasearchive.md b/docs/en_US/developer/intro/releasearchive.md
new file mode 100644
index 000000000..d9486f922
--- /dev/null
+++ b/docs/en_US/developer/intro/releasearchive.md
@@ -0,0 +1,7 @@
+# Release Archive
+
+This article describes the design ideas of the V2Ray core (v2ray-core) release archive.
+
+V2Ray use Github Action to build releases. However, Github Action are usaged based billing product and it is not possible to store logs and artifacts in long term without significant cost.
+
+We instead upload the logs and artifacts to [archive org](https://archive.org/details/v2ray-action-archive-hqfi0pb) with [AutoV2RayActionArchive](https://github.com/xiaokangwang/AutoV2RayActionArchive). You can find expired logs and artifacts there.
diff --git a/docs/en_US/developer/intro/releasesigning.md b/docs/en_US/developer/intro/releasesigning.md
new file mode 100644
index 000000000..3cb61a145
--- /dev/null
+++ b/docs/en_US/developer/intro/releasesigning.md
@@ -0,0 +1,23 @@
+# Release Signing
+
+This article describes the design ideas of the V2Ray core (v2ray-core) release signing.
+
+All stable release of V2Ray are signed in [Signify](https://man.openbsd.org/signify) with a the private key corresponding to
+
+```
+untrusted comment: V2Fly Signing Key
+RWTe6SReSmJUeqoA8cq1MxX7ycL06DAMAJcAgQ8dCN3kFtnWBHYDpTnx
+```
+
+The file being signed is a manifest file named 'Release' with the checksums of all binaries, including unzipped content of zip files.
+
+## Binary Transparency
+
+The signed manifest file is published to [rekor](https://github.com/sigstore/rekor) by signing the sha512 hash of the 'Release' file with a topic key. You can generate a list of all the file signed with [rekor-monitor](https://github.com/sigstore/rekor-monitor) with the following commands:
+
+```
+echo 'rekor.sigstore.dev - 2605736670972794746\n86482791\nFehZ1/6CqPAFDaEM1N4xOsFZO1rD6v8nmu8yMjUqzAg=\n\n— rekor.sigstore.dev wNI9ajBEAiBTwFlsQciw2QNcGmPqCfPnArWAV9kgEygav9EeVsa+RgIgC0Q4vazfZksnzDkqpv687OTF99KnwtI8fb9a9pUHoOU=\n' > logInfo.txt
+verifier -monitored-values "$(echo "ZmluZ2VycHJpbnRzOgogIC0gMzk3YzQ1MTJiZDRjMWIxYWQ4MjIxNTAzNDVkMTczNTUwZjRmNmE0NGJlOTM1MzVmZmVlYzRhZTQyZDg2ZGEzMg=="|base64 -d)" --once
+```
+
+The topic key is used to generate a list of hash value submitted to rekor by V2Ray. It is not used for verifying release. The topic key design is necessary as rekor does not support signed message, only detached signature.