Hi Andy, You are correct that those are alternative options. You actually had your key correctly added to the KEYS file. I believe the issue is that your key is only self-signed, so it cannot be verified through Andrew's web of trust. See key signing party instructions at: https://infra.apache.org/release-signing.html#key-signing-party.
Thanks, QP On Fri, May 13, 2022 at 6:47 AM Andy Grove <andygrov...@gmail.com> wrote: > > As Andrew notes in the current VOTE thread for DataFusion 8.0.0-rc2, there > is an issue with the key I used to sign the release: > > gpg: Good signature from "Andy Grove <agr...@apache.org>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > > I found the current documentation a little lacking so could use some > guidance on what I need to do, and I can then better document this in the > repo. > > The KEYS file has this header: > > Users: pgp < KEYS > gpg --import KEYS > Developers: > pgp -kxa <your name> and append it to this file. > (pgpk -ll <your name> && pgpk -xa <your name>) >> this file. > (gpg --list-sigs <your name> > && gpg --armor --export <your name>) >> this file. > > Was I supposed to run both the pgp and gpg commands in the developer > section? I perhaps naively assumed these were alternate options and I just > ran the following: > > (gpg --list-sigs "Andy Grove" && gpg --armor --export "Andy Grove") >> KEYS > svn commit KEYS -m "Add key for Andy Grove" > > Also, It wasn't immediately obvious to me how to install "pgpk" on Ubuntu. > > Were there other steps that I have missed? > > Thanks, > > Andy.