Yeah, should be as easy as running verify_treehashes from cryptic

But we won't have the private key available, so we need to do it with only the public key.

If I understand correctly, the verify_treehashes script requires the private key, right?

Could we refactor the verify_treehashes script to use the public key instead?

Could we refactor the verify_treehashes script to use the public key instead?

Yep, I did that! So we're one step closer. :)

@DilumAluthge since we're doing some mad wizardry via buildkite in this repo, it would be a little painful to have a buildkite job here that we don't have on base Julia. So can we add the verify_treehashes step as a GHA?

FWIW I'd be totally fine running that job on Base Julia as well. It should be very quick.

And probably it makes sense to have the CI on this repo just exactly mirror the CI on Base.

Okay, we'll put it in the same place as whitespace.yml then

One of the most frequent mistakes that I make is forgetting to update the signatures. Obviously we'll catch that when we run the test job on our test repo. But I would much rather catch that mistake sooner, before I merge the PR here.

This is no longer an issue. Every PR that is opened to this repo now has the full Base Julia CI suite run on it before we merge the PR into this repo. So, there is actually no longer a need for a separate signature check.

I think it would still be good to implement this. Buildkite can take a while to run, but a GitHub Actions CI job (to verify the signatures) would run really quickly, and would provide immediate feedback.