[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: pgp keys for signing releases

From: Bert Huijben <bert_at_qqmail.nl>
Date: Thu, 28 Apr 2016 08:33:02 +0200

Not entirely sure, but I think you should still publish your pgp key to the major key stores. Once you put your fingerprint on id.apache.org, it knows how to fetch your key from there.


Sent from Mail for Windows 10

From: Stefan
Sent: donderdag 28 april 2016 01:15
To: dev_at_subversion.apache.org
Subject: pgp keys for signing releases

finishing up the creation of my apache key for signing SVN releases I ran into some details in the docs which seem to be outdated/unclear to me:
The SVN community-guide [1] states:
"Members of the PMC, as well as enthusiastic community members are encourages to download the tarballs from the preliminary distribution location, run the tests, and then provide their signatures. The public keys for these signatures should be included in the ASF LDAP instance through id.apache.org. (A list of the current public keys for members of the Subversion PMC is autogenerated from LDAP each day.)"
1. on id.apache.org I seem to only be able to specify the fingerprint of my key, but I can't find a way to upload the complete public key. Is this outdated? Is the process now picking up the key from the public keyservers based on the fingerprint I enter there?
2. The link to the "current public keys" causes a 404 to me. I take it this one is the correct/new link (taken from releases.py): https://people.apache.org/keys/group/subversion.asc
3. If the new link I mention in no 2 is right, does the absence of the "-pmc" in the filename mean that that file contains now all keys from all contributors (including the partial contributers) instead of only the ones from the PMC and hence my key will be added automatically too without me having to do anything else?
On the other hand the Apache release signing documentation [2] states:
"The KEYS file is stored alongside the release archives to which it applies, e.g. at the top level of the ASF mirror area for the project. This is to ensure that it is available for download by users, and that it is automatically archived with historic releases.
Note: this system will be replaced by a better process in the near future. In preparation, please ensure that public keys are connected as strongly as possible to the Apache web of trust and are available from the major public key servers."
4. Am I assuming right that this process already took place and the reference of having to manually my public key to the KEYS file is therefore obsolete? If not, where is the file located for the Subversion project. I didn't find it on dist/subversion and failed to locate it on subversion/trunk.
While writing this mail, I see that here's [3] now a list of (presumably) all Apache committers and my key is also listed there. So I take it that everything worked and all the other steps I read on the documentation are no longer required indeed, no?
[1] https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
[2] http://www.apache.org/dev/release-signing.html#keys-policy
[3] https://people.apache.org/keys/committer/
Received on 2016-04-28 08:33:05 CEST

This is an archived mail posted to the Subversion Dev mailing list.