Add info master
Add info

file:b/README.md (new)
--- /dev/null
+++ b/README.md
@@ -1,1 +1,199 @@
+B Tasker PGP Public Keys
+==========================
 
+As of [MISC-43](https://projects.bentasker.co.uk/jira_projects/browse/MISC-43.html) I sign all commits - both Github and Gitlab should show a green Verified against any commits I make.
+
+However, neither makes it particularly straight forward for you to verify signatures for yourself, meaning you have to take on trust that they've not messed up verification.
+
+This repo exists solely to publish my public keys (also available via `pgp.mit.edu` and `keyserver.ubuntu.com`)
+
+
+### Commit/Tag Signing Key
+
+Commits will be signed with the private key associated with the following public key (key ID `4C1EBA9B`)
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: GnuPG v1
+
+    mQINBF+kIL0BEAC45p4yrnhPUxVm/qi657izwMGtXpZgOwgWcp6bVOMBBX/MVWDD
+    xXWy0h+GscNkEaQ3IGROsJR9uMfDiKmuHT8I6VKW+E/NYdVZ1OrxDA8gniAdbzLN
+    oUXM9703RB+u+4E1VXNnJjMlssl/CSVi/LTiwag9IgeN11lmk9AW3cxMwb+2S8TH
+    ltpJN3RfW7W6GaOgnlVOAPxRlsEHYw9SMn8SJskXqXiDhD67+6uQ19WC504dZWHs
+    OD7s9WUWoM37PmhM4YJ9Q5C1bJYkCicbRoDbFAF3PlK3BIFZkRJzjDd005+jK6aG
+    NuJkIl1bkGHsOQwiOFzfgASQ8naGAm8sf4UMZG9jypvTDAxfXMjfXqie0zbt08pv
+    YQPHTEZELD2reWOW+NFXddD8SS3l3yNaZ7y8TTNcVTTAHj2l4qhOTNM/Egk0wC4j
+    DRNZb/++WcVtO2/xm4oYbPg8F7NKO8tsC4twdAtIVTybxyq1SGdNBt8SMJwPP4XG
+    LB5O6rOOmzv2bHsXCmlyHMUpEUe5QP08ScWg07sAZkq6vZzFAT/FPEgfmC6wdjrZ
+    n0VKTiAbCOGQiRpWS7CcfRNhwqBNEyr0aVrtpB0/I3cZ2rr4QVvRgHKxUI7TNomO
+    WFVWcuSt11w4rE8AbDLfwTWZndyT13VTjKeRsEJrCiXHZGgUreLKNPNoiwARAQAB
+    tDRCIFRhc2tlciAoQ29kZSBTaWduaW5nIEtleSkgPGdpdGh1YkBiZW50YXNrZXIu
+    Y28udWs+iQI4BBMBAgAiBQJfpCC9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
+    gAAKCRCNxlIXTB66m1mTD/9bkmOrV7fVgybR7ai0Hf5hWhIMR3xUfbZIrHiUD6Zk
+    HyFkOsqYZ1tJBnNM5VYjmvtzazK9/DPr8KvAbhTfTVlQHgQIHjC80l4dqUPoyOhD
+    opG3f/zHfIwEf+MqeWhs1Y8mNMEbYWerg7Cmsl4M05fiKl5HxJ80behgPv7GVAQy
+    RpivR8xSs1iYsUfedqhh6WxdyyNU3VceUK950Ydo6ZWggD9P6cGjrsmDLMrum86Q
+    XyXHX6v6lDwpwensXe4pjuRjQrrgs01uR80u40WEpcFFXfs8ysoN8Q6+d/jXrDDh
+    6V6Otap4n1tQiEHhNSkiIU1p5P9nVuo/YOi5i6gYlbFYKO6T1ya4T8Qu8H8E8wvK
+    fjQxuXM7pgEUcCakudxL+5+I2YEIwmFRNSUO7c/0eR5pS0M0bZ1+V0iSIvL11mel
+    W/W1VlLV4/wAV6K3QqZY8+OwPs6IfUlXR+f5nIjtW40Xqbr50puxoqc23KbvdfBz
+    ib7fHlVfIdQr0u/BQnRo4rbhneib/KYZtiv2tieHgAOMVlVnQfcOkOda5V/FnzTz
+    rlESlW99EFGuRAbzXXMgtC3UtDE6qgbrCnLDGVi5hva0efInr81oHQp+2iySUouA
+    32toS5vSzluYto5PJa6v3LqAKj35+HBKFY+/rCmDMYqtMLTEaTskvypjc/k0A8g2
+    /4kCHAQQAQIABgUCX6QlZQAKCRC373VIbgjNbytCD/48SO1S3NKge8F2CfTwAYFs
+    3SBewRKL3ay399OoI0eEtFXZRskXqM/1M6nZqwAxrn5yK5U3pup1e3PPcHxOlzya
+    SptC1FoIWVyaRKRc9PGEVKqMiCFqMmaRTq2iTtKgsU5cT0ZE434IyIDWoUqwtEau
+    D50EE3lltmGie1oYnvSxZmkD8OOxgRAszGQA4tO+4LQ0mqJmD2PjOLuxPHC+0sWx
+    179ODmPHXEIQBoYofQXc5HnmH3YFGaaRXljEj9hhDXBqqHC1Rm/RwYwI6ZQBguec
+    yAiM4QAM6ytT9IfMvvbR1lYnfiPF0lZHnSjq8omzlfHesKOIl6bnyaGRJ+ZoKToG
+    IBFp+Lb1xQzRDqZIoUXdTBxTrAAqSff6WTFt835TLNEUp0hE0Q1z6NzTflZeZzYE
+    JzQCsyHGvVXh//rATy2Gw4b+7I6NsW7ZRxwvzlqqhfBFCjNKTd8X6bCfzFvVz/2J
+    KxIuD7CQsCMumdd649XalWXr453cv13Dhxex4sCPWBfVgOgrDF3U5Gla+zKt8j5H
+    pY2oDBJlPCHK0PK/QeJaElOWzhGNI6oGAVxP6KI60dSAhhsXg3r8N/lSmj/ZAtcw
+    zIPlUF42e5n0jcqUoPEMv/AEZ7zVYeap15liq3otx8NyafLu11072wfqcYOmBJU5
+    XN5kM0BOmyI3ksiGMbCwvbkCDQRfpCC9ARAAzk9oQpVxDzg7GUJ5XaRpmmuc18fc
+    8LeR5Wr0LgIcqh6kfduVnuJ5B7JE6djPP7HQcFDNkKnVFemetcTG2o/murjvE+tm
+    EeK1J6aMohzlOVLoYcy9+TtD8Kr2O9Dpk1tkkVs+LJ3ypULcQEC/Y/JEwPy1fNtX
+    I792z+WSR47QSM3q7nR58UZL4CIgKst0zbftWZKH3WKhi+hCeoiuJZyms7tNMewa
+    vr8KtwDgob+IAem36UBHftjQacEKnGK84I2q8Kj54hBiAgBKichsu0iHWjd27LGo
+    AyCPam54wnbZrItsZr1b4YyqbmWMUj6/6eg9jUdTAREZhbT1O0fvhvfNOYj9Gr6a
+    ZCVA/rLYthpWgUD8U6xacO5jrsXW25bjMlGc0xo8j/oCFfDL3C1VH/eU0gSnHnKi
+    zfz2n6rxPiJLfs31J9RCm/e14oauqaFFpYjYF0OZ4GwSz2tG4ReCxHEYHb2lZwbo
+    u7RVRK+9lKyB/l111pHh++GH8maiO6+dcdJF7+gc3VTBmJyaOpcy06F0CxVDUuPK
+    eAMsLlJt7JEifF0JHhQBQAtv9XKVno0c4i3TnHKYEiCK4IEcqrX6XG3m/2JYAmyU
+    5p1/ennDoOSOxkGKtGgTJNmGK1RbP+OkHOu/GKwS1Gxhrdn5ag5dZcXn90jb/DBr
+    Eabi8Lu3sjv6AycAEQEAAYkCHwQYAQIACQUCX6QgvQIbDAAKCRCNxlIXTB66m/uN
+    D/96Cz8JQNi7nQyTIWCTJlvPaIAmqWUJu9WOHrhRs06M+bKO0iuRRXelfQCadKi8
+    v64K/UA8CO5INOYLix02hl7R0aebq823KZY21V/qi2r1o7zUCZ8dYc21QorhlIDf
+    QeS21SXwkjJ5bZ2oL+J7xammz2n3VA5Ms5mxv4pbWtAwymx60WbR0hRcsiG6u85h
+    do4SQOs/9BvbA4pcwPToGBe7dA6xrdgj0lmp1Fvni2j5Iqfd4zYUV84E7oS1+31N
+    0hpI/aecVm0WUVBuQXUd1kQPNQESZ5LVyxCVmfxT1kbqeA2Ew5vqqzVcgV4tNnnk
+    pvGzNhGTFfM+O/gguQgMgMQ5yJVypaBvYAhoTktE1UgosJ08TWjaHIKykgv3EY+X
+    r00jmon1GfLCBdfiOidPGPTxar4AnxwdD+FdM4BEaYJLEPlmjGyTji56fgqRQ9e6
+    /c7aGhWbEtRVmiw+ESsRhn23npLmIwL8ZihJmN4yzg9Gr3dpHRIqFZUC6fcU+9BT
+    pCjZAtgFFGTcEOhrNpRnpwXWWmcQhOEQYygNyPEwYI1NpojwqmIhcviMHYFOdJr1
+    hXkHNXsaln6CQvC3AS2xkxxlK5gsc0XmcGFa1Gf9VSkfedGLyUGDHX4HWDcRaY5F
+    9Xs6/XsFOBw+9n0oNtAwfztXCf+d09DjpHVsQP5DsrCfkA==
+    =asZz
+    -----END PGP PUBLIC KEY BLOCK-----
+
+
+
+### Signed By
+
+I've signed this key with my main private key - also visible on [about me](https://www.bentasker.co.uk/about-me)
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: GnuPG v1
+
+    mQINBFQCMhwBEADINbH3a1aW39OamZDFWgL/JmiAIpxpFFNhMYr4RbobbeWhc6Cr
+    KSyY5iEZ9VKm+tvv3tlkXeRe3bZ/Mb1nV09kpNiG9eqVoqZtsg9AEXKsO/HzI7eT
+    fkRU1zcqv4w27oDW3Rw4/AS1Tl83cTpUZAcEmYoGi4mfz5PJR91YUdFnDZU3Os15
+    CgeijwBSbh7wqeiJGLx5yqSxT0JaDCMbkliaQfLv7mN0APF7faGUQ7I301JAqaO1
+    4mwqaVdeNLJidrVHOQSr1D9jHyoX5i7bXgCv1xi8IJ/gTtO7pzjc8K3l4dYG7bkh
+    D6KJpuwZ0LtKdr7JguIZ/ik4cHpbgG1YGVDEqO3/c3qY8wUQSVpgYRSYnvgKxKe5
+    v41i6FSe43bNZSlk2L3W4gPvLSHkJSsmHYQLHPXv62arGiWfk2oeANJ45Tnr0s/s
+    NfRZ6BRyfuEsMcc06Q0Up00exNc6NkTmtiDt7X/QNuueiYWQkhHnDei1gzUKhIyU
+    8ZXtPZxw+ceyqbYTz5MMTASA1E0I+oMoegSSx2aVXOtnVffjSkcJZD645zWQAzEA
+    24CjukR2h5vAHciKOvw/q+vl5VTkhLQ4msasiLdY267kumtLPhI5JB/CtrEXclg7
+    UG91kFoRgSC/ttcVahE+wRZO8pLxzilkRwWg3+g/RdHNWsQfZ7jpiFamDwARAQAB
+    tClCIFRhc2tlciAoTWFpbiBLZXkpIDxiZW5AYmVudGFza2VyLmNvLnVrPokCOAQT
+    AQIAIgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAl+lcJIACgkQt+91SG4I
+    zW+UMxAAlhzAc3bJuqzlxFmRD1UOcBInLlWFYSGi/K9Fcm1XRo/kRCTbE4Jn3lqZ
+    mOO27t7PgMJF8IoWGuwryvamYkABrtAcK7x2CVBMltzQXwjuQximfHUnorRXeeZL
+    0K1cxTSkcYixHrx+/xnnBnY6dj0AXNgw6ERl4xDAWhx2W65qy8eNULNZ4YACn+uh
+    YJb2Ns2oc+HqH6BvJTRCYzhq3TWFERfUTJtlcy98ejpyHE0+tPzUueE5qbVm44EF
+    oo2YTAlSqbNMN6bsaXwdzZETwWuU99VmIGlsHwSYzMtJ+tfwHoCs3W4Qs/kVYlX7
+    VCBS0Api9vdGyhLTjTRmKD1bAZrPalRtzrHVGC0yjDoZCkWMmA5QQifLoHnQ2HCH
+    17QxlzYO1fRn4EI8dM0vcSBujdG+Y/ggKl9q93dcSVIsBuGEUk4GF+VUyZeRbYMR
+    plJ+0QYCKywgmFbt1XWxH+qeJfjSr+nCHWmCgahOHh34UPbRfQ2Y+1Phi2q8souo
+    noj0zBC/n33qME/XEUq136LTn4WDiiCn8iPkg2W5evMSmQPBln5aY04Xk1Evcand
+    2it7PwuAqJ4mxqGUwZO19dqJZpXhxH5REgYYINJXX39rQsx8XQD0CqWuqDXyu6nJ
+    a7QBJ1waDqxgZ7u953nPG8ipqgUMM+KrFchnN2c1VIxt4khW/pO5Ag0EVAIyHAEQ
+    AJ7b/sxshiAERm+KTdsp0xsjShDWqEeq8VBxTg79LnZ9yMZjg+ZFL7H7EYquC7xo
+    ndJdzBxyx/DLVaCZ5Idwi3g3DUMJBOmmL2DrbXQy65VEuenlUyoMmpfGdKxqolpm
+    T7O2+5Bs5+1bIRbNOvFTjqyaaZrlsnsW+9RoCu+9slaO0sWEh9My/ru/KBnx3TPT
+    1ZJlfMF7cUdycI7PwqcmZ5nYa8Y7E4WbjK61rJHGpEQlXMrvfif3PEci1jZyYb3e
+    oZ2avqNFnAofAKUZyVAhq+9sRoFGWMzxRG9X4dCfFmUNzk8FIxnUG/sHpsuH16oi
+    ayw4S5rujuU9kshR+ktrRWjyAmZ9cVAMVok/r2Kvnxby7HVXzl9532FzyaTWglLF
+    elhLdHB1PXhc/WRtFHQdqgJ2jxssNPc5DyIcZzvRJXknOg1OJWZ7DzbRPbZ1EYOa
+    BNxsgCrphSwY6RwVHzBdzEJTFyka0vImi5yt1nBt3FAIlGAXh4qoInH/ioaooG2F
+    vfcsD7Rikgupx2TfK5cgvP3mPSjVP1FT28QnJXvAfCz1KIKYw//LMcu0p0jy1shd
+    tToaCUROpjctcNI5CUZHSdZrNB3dngdXdtvaHilAcVhkMumKvqSvZ7E/OXOoOhBl
+    cW+sLB6D6umtZIjFLrOXTpfJe2ilLrhwHSueuda/xrqjABEBAAGJAh8EGAECAAkC
+    GwwFAl+lcLIACgkQt+91SG4IzW9BWA//WLzYNt9XhkmiN6HGYgZmcgMn1Vbmjxm3
+    mA25313j9yjiLxadcaNcieV5Wk2+zEVWUHlIfOkNqGbPj6ADnXsZDV0hWywODhrl
+    EcSSfjEqjy6B6wfs79353clXTvSfkNHfCK5rzf4hAHnAebQXOZsCCdD3NsBsNMmQ
+    Tgo6TBli61hcuhsWRrfJZkhg4qSfLPZtNjvPmXP+I7zv+ldmywnr5aewjyOqQC8O
+    Lh+s40xxZ4y91I0chqpR2GWcITzXRg2cjRcuCQEJZOYzLP+515iuaMdmGQvUfges
+    2gUR10KdF/+Jy5oMcJG37RVYyZYKvxPKCkn84fwTQcadbL0y4801eKEZ/heZ5T8c
+    eOiFz4hCYh9A/ZH7Cf8BUVs/KlBnyjrLSGSOlMJIV+kDEpvHjq08JnlAbTi1HJCD
+    eLMzYQGUhpwrH2SXJ6EUoCbtjFblGwwY3wAxCepdsa26eolVrLfGKODftnJmj6PH
+    s0wjMGDVHHEvpkBiSzNGh4mHsKTxj6NEKa6OTa45/MFs3fwWSzGhuUuFhmAnI8Al
+    qYjaCUJb1mYLHoyAzIU1KYwmr3EEdFEP6VBxLsLTb9OI4M4i5t1Dht92+Z8gQ7P+
+    laJJtyUjatx+0NryabIH0LWchU//u9K/khNl4AHeOKe285HgDZmr7Gj2Wt6BT3bo
+    NL76zv0Cq2M=
+    =mmbj
+    -----END PGP PUBLIC KEY BLOCK-----
+
+
+----
+
+## Verifying
+
+In order to verify a signature, you'll need to import my public signing key in your keyring
+
+    gpg --recv-keys --keyserver keyserver.ubuntu.com 4C1EBA9B
+
+If you run `edit-key` on it, you should see I've signed it with my main key
+
+    $ gpg --edit-key 4C1EBA9B
+    gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
+    This is free software: you are free to change and redistribute it.
+    There is NO WARRANTY, to the extent permitted by law.
+
+
+    pub  4096R/4C1EBA9B  created: 2020-11-05  expires: never       usage: SC  
+                        trust: unknown       validity: unknown
+    sub  4096R/9DBA26B6  created: 2020-11-05  expires: never       usage: E   
+    [ unknown] (1). B Tasker (Code Signing Key) <github@bentasker.co.uk>
+
+    gpg> check
+    uid  B Tasker (Code Signing Key) <github@bentasker.co.uk>
+    sig!3        4C1EBA9B 2020-11-05  [self-signature]
+    sig!         6E08CD6F 2020-11-05  B Tasker (Main Key) <ben@bentasker.co.uk>
+
+    
+You can then verify that it's been signed with my main key
+
+    curl -s https://www.bentasker.co.uk/about-me | sed -n '/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/^-----END PGP PUBLIC KEY BLOCK-----/p' | tee btasker_pub_key.key
+    
+
+Check the fingerprint matches below
+
+    $ cat btasker_pub_key.key | gpg --with-fingerprint
+    pub  4096R/6E08CD6F 2014-08-30 B Tasker (Main Key) <ben@bentasker.co.uk>
+        Key fingerprint = C01D 970B 3A24 1689 2C1E  D42F B7EF 7548 6E08 CD6F
+    sub  4096R/4219F5B2 2014-08-30
+
+Then import and sign with your own key so that it becomes trusted
+
+    gpg --import btasker_pub_key.key
+    gpg --edit-key 6E08CD6F
+    sign
+    y
+    [password]
+
+Signing the key also means that if, in future, I rotate my code signing keys you should only need to import the new public key for commits to verify.    
+    
+Clone the relevant repo down, and then use `verify-commit` along with the commit reference in order to verify the signature
+
+    $ git verify-commit d12f725aa589ea16d1551cf8d4507cddbe307c22
+    gpg: Signature made Thu 05 Nov 2020 16:23:43 GMT using RSA key ID 4C1EBA9B
+    gpg: checking the trustdb
+    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+    gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
+    gpg: depth: 1  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 1f, 0u
+    gpg: depth: 2  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
+    gpg: Good signature from "B Tasker (Code Signing Key) <github@bentasker.co.uk>"
+
+If you're verifying a release, you can also use `git verify-tag`