I humbly submit for your consideration this patch to improve the KEYS file. Please review and help apply it against dev/fineract/KEYS at r75241 from https://dist.apache.org/repos/dist , and/or help me perfect it.
I say "dev KEYS file" because we currently have two out of sync files with committer keys. This has been the case for quite a while now, even before we added a newline yesterday to fix James's public key in "dev" (svn r75241). That's why my patch from yesterday looked so odd (one key missing)... I was working against the release KEYS file and assumed it was the same as the dev KEYS file. Here are the two files: dev: https://dist.apache.org/repos/dist/dev/fineract/KEYS release: https://dist.apache.org/repos/dist/release/fineract/KEYS The first one has a key from Manoj Mohanan (id: 0xB87CFCD0AE2E7E6F), the second does not. Please advise... should the key be included? Anyway, that explains why my earlier patch "deleted" Manoj's key. Regardless of the Manoj key issue, the attached patch may be applied to document each individual key and add explanatory text to the top of the file following guidance from https://infra.apache.org/release-signing.html#keys-policy . I reckon it'll be useful. 😉 Assuming we move forward and apply that patch, I'll then suggest simply copying the resulting KEYS file to release/fineract/KEYS. These should be kept in sync to make our lives simpler. And before you rightly ask why both exist: This is per https://infra.apache.org/release-signing.html#keys-policy (they are expected to match detached signatures found in sub-directories) 📣 Here's another shameless plug for keysigning parties <https://en.wikipedia.org/wiki/Key_signing_party> and the web of trust <https://en.wikipedia.org/wiki/Web_of_trust>. Both are truly elegant and empowering ways to, paradoxically, *not* have to trust what you find on one or other download page, rather, to leverage personal human connections and the strongest encryption we have at our disposal to provide strong assurances of data integrity and sender intent. 🔐 improve-keys-v2.patch.asc is a detached signature I created with gpg --detach-sign improve-keys-v2.patch . If you have my key you can verify my patch with, for example: gpg --verify improve-keys-v2.patch.asc (assuming both files are in the same folder).
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQQlB3W9tf59U+SvlcAOiVoaegkM/AUCZ8dqDgAKCRAOiVoaegkM /JQ2AP9A/gxRlYZtgmxvBbdR2TDo4LHjXXtmM77cXpRaKk6YZwD8DSJh/4IOd3Pv GoDrg80kMqD+FHdgzkQ1CEWN/8ivDQ4= =uADx -----END PGP SIGNATURE-----
Index: KEYS =================================================================== --- KEYS (revision 75245) +++ KEYS (working copy) @@ -1,3 +1,53 @@ +This is the collection of public developer keys for Apache Fineract. +The canonical name for this file is "KEYS". + + +The format of this file is: + + KEY DESCRIPTION + + PUBLIC KEY DATA + + + KEY DESCRIPTION + + PUBLIC KEY DATA + + + KEY DESCRIPTION + + PUBLIC KEY DATA + +...and so on. + + +This file may be fed directly into PGP verification software such as GnuPG. +GnuPG will ignore everything besides public key data. +Examples for users: + + # parse this file + gpg < KEYS + + # import all keys + gpg --import KEYS + +Examples for developers: + + # add your key + (gpg --list-sigs <your name> && gpg --armor --export <your name>) >> KEYS + +See also: + +* https://fineract.apache.org +* https://infra.apache.org/openpgp.html +* https://infra.apache.org/release-signing.html#keys-policy + + +pub rsa4096/0x8CB2BDA8B983100D 2016-04-06 [SC] + Key fingerprint = BDD1 5D65 9567 9C02 B523 1CE2 8CB2 BDA8 B983 100D +uid Adi Raju (CODE SIGNING KEY FOR APACHE FINERACT) <[email protected]> +sub rsa4096/0x2B9FE5719249AC7F 2016-04-06 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 @@ -51,12 +101,12 @@ =6fEZ -----END PGP PUBLIC KEY BLOCK----- -pub 4096R/0CB6C40C 2016-05-03 -uid [ultimate] Shaik Nazeer Hussain (CODE SIGNING KEY) <[email protected]> -sig 3 0CB6C40C 2016-05-03 Shaik Nazeer Hussain (CODE SIGNING KEY) <[email protected]> -sub 4096R/677BDBB7 2016-05-03 -sig 0CB6C40C 2016-05-03 Shaik Nazeer Hussain (CODE SIGNING KEY) <[email protected]> +pub rsa4096/0xDAB52C0F0CB6C40C 2016-05-03 [SC] + Key fingerprint = A2EC 4806 503A 5DE1 342E A889 DAB5 2C0F 0CB6 C40C +uid Shaik Nazeer Hussain (CODE SIGNING KEY) <[email protected]> +sub rsa4096/0x0BBFB4D9677BDBB7 2016-05-03 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 @@ -110,6 +160,12 @@ =58aJ -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0x80C4D8890BB29444 2016-06-29 [SC] + Key fingerprint = AF4F D65D E78C A5B1 BF30 939F 80C4 D889 0BB2 9444 +uid Shaik Nazeer Hussain (CODE SIGNING KEY) <[email protected]> +sub rsa4096/0x8F8F1CC9F11A0D70 2016-06-29 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 @@ -162,13 +218,13 @@ LL2vnTLdck1AuKud7WX9r3mLnkT9LdB3ZTvd8oZt0cE= =T96K -----END PGP PUBLIC KEY BLOCK----- -pub rsa2048 2018-01-18 [SC] [expires: 2020-01-18] - 68053152E5B482B9191394C37EACD80938F84C72 -uid [ultimate] Avik Ganguly <[email protected]> -sig 3 7EACD80938F84C72 2018-01-18 Avik Ganguly <[email protected]> -sub rsa2048 2018-01-18 [E] [expires: 2020-01-18] -sig 7EACD80938F84C72 2018-01-18 Avik Ganguly <[email protected]> + +pub rsa2048/0x7EACD80938F84C72 2018-01-18 [SC] [expired: 2020-01-18] + Key fingerprint = 6805 3152 E5B4 82B9 1913 94C3 7EAC D809 38F8 4C72 +uid Avik Ganguly <[email protected]> +sub rsa2048/0xE6F9186011BC67F9 2018-01-18 [E] [expired: 2020-01-18] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFpgpxsBCACu1ucz7MbUpLxRWLs+Fr44DufQ7HTv9hJ7m2sTjqQt8a1/H04T @@ -199,13 +255,13 @@ ZLoDsREpadZH1qxU4uSQdYFhMsC83J6XrOMF4Ze3mwBDwcbwHnQ5 =Qls/ -----END PGP PUBLIC KEY BLOCK----- -pub rsa4096 2018-11-28 [SC] - 7B6CD112E36EA69C94583F1906C8222D2397CEA8 -uid [ultimate] Shruthi Rajaram (CODE SIGNING KEY) <[email protected]> -sig 3 06C8222D2397CEA8 2018-11-28 Shruthi Rajaram (CODE SIGNING KEY) <[email protected]> -sub rsa4096 2018-11-28 [E] -sig 06C8222D2397CEA8 2018-11-28 Shruthi Rajaram (CODE SIGNING KEY) <[email protected]> + +pub rsa4096/0x06C8222D2397CEA8 2018-11-28 [SC] + Key fingerprint = 7B6C D112 E36E A69C 9458 3F19 06C8 222D 2397 CEA8 +uid Shruthi Rajaram (CODE SIGNING KEY) <[email protected]> +sub rsa4096/0x249A18CB2A6D1F82 2018-11-28 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFv+cpMBEADBAdEJi+iEFmbTyezh7tcZvwgfmzgfSgam2lMG6L4wHbcVVjKp @@ -259,6 +315,12 @@ =/lw/ -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0x487B2C687CEDFA72 2020-07-30 [SC] + Key fingerprint = 4A62 4DE1 09F7 7CD8 A574 6793 487B 2C68 7CED FA72 +uid Aleksandar Vidakovic (Apache Fineract Release Manager) <[email protected]> +sub rsa4096/0xE0842E0003715551 2020-07-30 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF8iGq0BEADGRqeSsOoNDc1sV9L7sQ34KhmoQrACnMYGztx33TD98aWplul+ @@ -312,6 +374,12 @@ =95/E -----END PGP PUBLIC KEY BLOCK----- + +pub rsa4096/0xDE6FCF80F8144D71 2021-05-21 [SC] + Key fingerprint = E6DA 4774 AAB0 0501 6380 2D57 DE6F CF80 F814 4D71 +uid Petri Tuomola (CODE SIGNING KEY) <[email protected]> +sub rsa4096/0x7AB3848093F533DF 2021-05-21 [E] + -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGCntgMBEADBlTN0ybMZd5Z0a6V1SFGVOd7O+bW8881z/DQkSa/ul0Hx+gWC @@ -364,6 +432,8 @@ K0u+MOwvlnzWgIQER3+910S9ieeRrw== =GXI6 -----END PGP PUBLIC KEY BLOCK----- + + pub rsa3072/B87CFCD0AE2E7E6F 2022-10-11 [SC] [expires: 2024-10-10] 651B5B65583B9848E8AF18F2B87CFCD0AE2E7E6F uid [ultimate] Manoj Mohanan <[email protected]> @@ -410,6 +480,12 @@ =QbVb -----END PGP PUBLIC KEY BLOCK----- + + +pub ed25519/0x4F169FF263F5F98E 2024-05-02 [SC] [expires: 2027-05-02] + Key fingerprint = BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E +uid James Patrick Dailey <[email protected]> +sub cv25519/0xF794D8D50C02A895 2024-05-02 [E] [expires: 2027-05-02] -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZjQMBRYJKwYBBAHaRw8BAQdAdp1SHI8Vwu0dXB1iDzD4qPXD2nu9XDiDv895 @@ -424,4 +500,3 @@ M8zo0go= =Og7i -----END PGP PUBLIC KEY BLOCK----- -
