Here's some info for you: https://infra.apache.org/release-signing.html
And some general info about release publishing: https://infra.apache.org/release-publishing.html On Sun, 2 Aug 2020 at 14:47, Davyd McColl <dav...@gmail.com> wrote: > > Having never signed release artifacts before, I'm likely to Do It Wrong. Is > there any Signing For Dummies you could recommend to get going on the right > foot? > > -d > > > On August 2, 2020 21:31:43 Matt Sicker <boa...@gmail.com> wrote: > > > So far it looks good (though I'm not a .net developer, so I can't > > speak from that side). There's one more thing we need from this to > > make it a proper release. You'll need to add a GPG signature for the > > artifacts as well. We'll need to import your signing key to > > https://downloads.apache.org/logging/KEYS for users to verify the > > release is genuine. Please email me a copy of your public key for that > > so I can sign and add it to our KEYS file. This key should be an RSA > > 4096-bit GPG key, and it should also be uploaded to a public keyserver > > like https://sks-keyservers.net/ > > > > For signing the files, add a detached ascii signature file (.asc) for > > the distributable files. As a bonus, you can also sign the git tag you > > created with the same key, but that's not required. > > > > On Fri, 31 Jul 2020 at 01:28, Davyd McColl <dav...@gmail.com> wrote: > >> > >> Apologies if there's any confusion around sender address -- I've already > >> fluffed this by sending from my work account (default in my mail client) > >> > >> -d > >> > >> On 2020/07/31 08:26:54, Davyd McColl <davyd.mcc...@codeo.co.za> wrote: > >> Hi all, I've never done this before, so bear with me if I fluff it: > >> > >> This is a proposed vote to release log4net 2.0.9 from PR > >> https://github.com/apache/logging-log4net/pull/61 > >> > >> Release artifacts (including source zip) are at: > >> https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > >> Source can be checked out from > >> https://github.com/fluffynuts/logging-log4net/logging-log4net, tag > >> rel/2.0.9. I can't push tags to the upstream, but this tag is exactly the > >> same commit as the last in the PR mentioned above, which was accepted into > >> master a few days ago. > >> > >> Please check out the artifacts & if everyone is ok with what's there, > >> please can someone with the rights to publish to nuget do so. > >> > >> Once I've seen how this process works, I'd like to tackle the CVE that has > >> been brought up on this list more than once -- it's a simple change which > >> was already committed to the develop branch some time ago, so there are a > >> couple of options here: > >> 1. cherry-pick that commit & do a 2.0.10 release pronto, with only that > >> change > >> 2. trawl the develop branch to see what else was already solved in there, > >> and get that out as 2.0.10, and perhaps close out that branch to avoid > >> future confusion. > >> > >> Thanks for your time > >> -d > > > > > > > > -- > > Matt Sicker <boa...@gmail.com> -- Matt Sicker <boa...@gmail.com>
