On Thu, Sep 11, 2025 at 7:41 PM Jinwoo Hwang <[email protected]> wrote:
> Geode's KEYS file containing PGP keys we use to sign the release: > https://github.com/apache/geode/blob/develop/KEYS When I try to verify https://dist.apache.org/repos/dist/release/geode/1.15.2/apache-geode-1.15.2.tgz it seems to be signed by 62F7DA41B7D8F26C which I do not find in https://github.com/apache/geode/blob/develop/KEYS. From http://keyserver.ubuntu.com:11371/pks/lookup?search=62F7DA41B7D8F26C&fingerprint=on&op=index it seems this is Jinwoo's key. Jinwoo: can you confirm this is indeed your key? If so, can we add this key to the KEYS file? There seem to be some docs around this in https://cwiki.apache.org/confluence/display/GEODE/Releasing+Apache+Geode Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
