add more details and reorganize test plan

.github/pull_request_template.md

@@ -4,8 +4,22 @@ Name of package:
 
 ### Test plan
 
-- [ ] Tag in securedrop-workstation repository is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z
-- [ ] Build logs are included: https://github.com/freedomofpress/build-logs/commit/1234
-- [ ] CI is passing, the rpm is properly signed with the prod key
-- [ ] Manually verify that the rpm is properly signed with the prod key by running `rpm -qi <rpm>` and copy pasting the Signature KEY ID into `gpg -k <KEY ID>`
-- [ ] Unsigned RPM after running `rpm --delsign` (in Debian Stable) on the signed RPM results in the checksum found in the build logs
+References:
+- Tag: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z
+- Build logs: https://github.com/freedomofpress/build-logs/commit/1234
+- Prod signing key: https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/blob/HEAD/pubkeys/prod.key
+
+- Verfify the tag and chages being released:
+  - [ ] The tag is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z
+  - [ ] The commits being released are what you expect: https://github.com/freedomofpress/securedrop-workstation/compare/a.b.c...x.y.z
+  - [ ] The tag is verified and signed with the prod signing key in the build logs
+  - [ ] The tag is checked out and used to build the RPM in the build logs
+- Verify the RPM:
+  - [ ] CI is passing
+  - [ ] The Signed RPM is signed with the prod signing key in the build logs
+    > * Download the signed RPM from this PR
+    > * Run `rpm qi <signed-rpm>` and copy the KEY ID onto your clipboard
+    > * Run `gpg -k <KEY ID>` (make sure you have the prod signing key in your GPG keyring)
+  - [ ] The Unsigned RPM checksum matches what's in the build logs
+    > * `rpm --delsign <signed-rpm>`
+    > * `sha256sum <unsigned-rpm>`