working release/attest/sign flow

Makefile

@@ -74,11 +74,12 @@ release: | out/release.env out/airgap.iso out/manifest.txt
 
 .PHONY: attest
 attest:
-	$(MAKE) mrproper out/manifest.txt
-	diff -q out/manifest.txt release/$(VERSION)/manifest.txt;
+	rm -rf $(CACHE_DIR) $(OUT_DIR)
+	$(MAKE) $(OUT_DIR)/manifest.txt
+	diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
 
 .PHONY: sign
-sign: $(RELEASE_DIR)/manifest.txt
+sign:
 	set -e; \
 	git config --get user.signingkey 2>&1 >/dev/null || { \
 		echo "Error: git user.signingkey is not defined"; \
@@ -94,7 +95,7 @@ sign: $(RELEASE_DIR)/manifest.txt
 		$(RELEASE_DIR)/manifest.txt
 
 .PHONY: verify
-verify: $(RELEASE_DIR)/manifest.txt
+verify: | $(RELEASE_DIR)/manifest.txt
 	set -e; \
 	for file in $(RELEASE_DIR)/manifest.*.asc; do \
 		echo "\nVerifying: $${file}\n"; \

README.md

@@ -49,18 +49,23 @@ internet with high integrity on the supply chain of the firmware and OS used.
 
 ## Build ##
 
-1. Reproduce existing release, or build fresh if never released:
+### Build a new release
 
     ```
-    make VERSION=1.0.0rc1
+    make VERSION=1.0.0rc1 release
     ```
 
-2. Compares hashes of newly built iso/rom files with in-tree hashes.txt
+### Reproduce an existing release
 
     ```
-    make VERSION=1.0.0rc1 verify
+    make VERSION=1.0.0rc1 attest
     ```
 
+### Sign an existing release
+
+    ```
+    make VERSION=1.0.0rc1 sign
+    ```
 
 ## Install ##
 
@@ -82,24 +87,6 @@ internet with high integrity on the supply chain of the firmware and OS used.
 2. Power on, and verify successful remote attestation
 3. Boot to airgap via: Options -> Boot Options -> USB Boot
 
-
-## Release ##
-
-1. Audit dependencies to ensure no relevant CVEs are open at the moment:
-
-    ```
-    make audit
-    ```
-
-2. Verify and add detached signature to given release with:
-
-    ```
-    make VERSION=1.0.0rc1 verify sign
-    ```
-
-3. Commit signatures.
-
-
 ## Development ##
 
 ### Build develop image