I've met ningjiang and exchange our keys. You may check the new signed key on https://keyserver.ubuntu.com/pks/lookup?op=index&fingerprint=on&search=0x8B374472FAD328E17F479863B379691FC6E298DD .
I don't know whether it now fits the requirement of WoT or I should push the new armored public key to KEYS file. Best, tison. tison <wander4...@gmail.com> 于2022年7月1日周五 21:57写道: > Hi Jordan, > > There are two things you may help: > > 1. I'm unsure whether it's a strong requirement that signing keys must > happen with an offline meeting, but if you trust my public key, you can gpg > trust it with your code signing key: > gpg --sign-key ti...@apache.org > gpg --output signed.key --export --armor ti...@apache.org > # and send me the signed.key > > 2. Directly import KEYS from https://www.apache.org/dist/curator/KEYS and > verify 5.2.1 source release zip file gives me: > apache-curator-5.2.1-source-release.zip > gpg: Signature made 一 3/14 16:07:11 2022 CST > gpg: using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C > gpg: Good signature from "Enrico Olivelli <eolive...@apache.org>" > [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: BBE7 232D 7991 050B 54C8 EA0A DC08 637C A615 D22C > > Although I can see Enrico's key is trusted by multiple committers: > https://keyserver.ubuntu.com/pks/lookup?op=index&fingerprint=on&search=0xBBE7232D7991050B54C8EA0ADC08637CA615D22C > I'd like to know what output you get if verify signing on 5.2.1 source > release. I don't know how to import the WoT infos, also. > > Best, > tison. > > > Jordan Zimmerman <jor...@jordanzimmerman.com> 于2022年7月1日周五 19:32写道: > >> I've never done the authentication side before - but if I can help let me >> know >> >> > On Jul 1, 2022, at 12:14 PM, tison <wander4...@gmail.com> wrote: >> > >> > Although still I don't know how to import the WoT, but it seems I can >> find >> > committers in the WoT in my city and meet locally personally to join the >> > WoT. Will try it out. >> > >> > Best, >> > tison. >> > >> > >> > tison <wander4...@gmail.com> 于2022年7月1日周五 18:26写道: >> > >> >> Hi Jordan, >> >> >> >> Thanks for reviewing the release candidate. >> >> >> >> I read the doc and try to verify 5.2.1 release artifact and get: >> >> >> >> apache-curator-5.2.1-source-release.zip >> >> gpg: Signature made 一 3/14 16:07:11 2022 CST >> >> gpg: using RSA key >> BBE7232D7991050B54C8EA0ADC08637CA615D22C >> >> gpg: Good signature from "Enrico Olivelli <eolive...@apache.org>" >> >> [unknown] >> >> gpg: WARNING: This key is not certified with a trusted signature! >> >> gpg: There is no indication that the signature belongs to the >> >> owner. >> >> Primary key fingerprint: BBE7 232D 7991 050B 54C8 EA0A DC08 637C A615 >> D22C >> >> >> >> It also has the warning printed. Did I miss something to import? >> >> >> >> BTW, I may not have opportunity to attend an offline Apache meetup in >> this >> >> month, which seems the only approach to join the WoT. >> >> >> >> Best, >> >> tison. >> >> >> >> >> >> Jordan Zimmerman <jor...@jordanzimmerman.com> 于2022年7月1日周五 17:53写道: >> >> >> >>> Hi, >> >>> >> >>> Zili - your PGP key isn't in the WOT. That should be done before I >> make >> >>> my vote. Apache has docs on this here: >> >>> https://infra.apache.org/release-signing.html#web-of-trust < >> >>> https://infra.apache.org/release-signing.html#web-of-trust> >> >>> >> >>> i.e. when I verify the hashes I get: >> >>> >> >>> gpg: Signature made Thu Jun 30 17:54:38 2022 WEST >> >>> gpg: using RSA key >> 8B374472FAD328E17F479863B379691FC6E298DD >> >>> gpg: Good signature from "Zili Chen (CODE SIGNING KEY) < >> ti...@apache.org>" >> >>> [unknown] >> >>> gpg: WARNING: This key is not certified with a trusted signature! >> >>> gpg: There is no indication that the signature belongs to the >> >>> owner. >> >>> Primary key fingerprint: 8B37 4472 FAD3 28E1 7F47 9863 B379 691F C6E2 >> >>> 98DD >> >>> >> >>> -Jordan >> >>> >> >>>> On Jun 30, 2022, at 6:21 PM, tison <wander4...@gmail.com> wrote: >> >>>> >> >>>> Hello, >> >>>> >> >>>> This is the vote for Apache Curator version 5.3.0 >> >>>> >> >>>> *** Please download, test and vote within approx. 72 hours >> >>>> >> >>>> Note that we are voting upon the source (tag) and binaries are >> provided >> >>> for >> >>>> convenience. >> >>>> >> >>>> Link to release notes: >> >>>> >> >>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12314425&version=12351883 >> >>>> >> >>>> Staging repo: >> >>>> https://dist.apache.org/repos/dist/dev/curator/5.3.0/ >> >>>> >> >>>> Binary artifacts: >> >>>> >> >>> >> https://repository.apache.org/content/repositories/orgapachecurator-1053 >> >>>> >> >>>> The tag to be voted upon: >> >>>> https://github.com/apache/curator/releases/tag/apache-curator-5.3.0 >> >>>> >> >>>> Curator's KEYS file containing PGP keys we use to sign the release: >> >>>> https://www.apache.org/dist/curator/KEYS >> >>>> >> >>>> [ ] +1 approve >> >>>> [ ] +0 no opinion >> >>>> [ ] -1 disapprove (and reason why) >> >>>> >> >>>> Best, >> >>>> tison. >> >>> >> >>> >> >>