MAINT: gpg versions, signing, and release docs/ steps

[tylerjereddy]

On some popular platforms, you basically need to use GPG2 if you want to use gpg-agent to avoid entering your signing credentials over and over when handling various assets during the SciPy release process.

In practice, this meant a few things for me, that maybe should be documented in release process description, but code changes would be harder since gpg2 is still gpg on some platforms.

We could perhaps mention that the following might be needed for platforms with gpg2 requirements:

• git config --global gpg.program gpg2 for git tag -s commands
• twine upload -s --sign-with gpg2 to avoid calling old gpg & requiring password each time

It is still harder than that to have everything "just work" portably on any given release managers platform with no manual intervention though. Locally, I also needed:

diff --git a/pavement.py b/pavement.py
index e439db680..6caa734ff 100644
--- a/pavement.py
+++ b/pavement.py
@@ -685,7 +685,7 @@ SHA256
         ftarget.writelines(['%s\n' % c for c in compute_sha256(idirs)])

     # Sign release
-    cmd = ['gpg', '--clearsign', '--armor']
+    cmd = ['gpg2', '--clearsign', '--armor']
     if hasattr(options, 'gpg_key'):
         cmd += ['--default-key', options.gpg_key]
     cmd += ['--output', str(target), str(tmp_target)]

But that may break things for platforms & distributions where gpg is actually gpg2 instead of the old version.

I didn't have much success aliasing the old name to the new command / executable & having gpg-agent use it, but others may have better success with that.

[rgommers]

feel free to make that change in pavement.py I think, with a comment that says "if this doesn't work for you, change to gpg".