In the long run you don’t want to be regenerating your signing key for every release. The point is that you would upload the key to a central keystore and other people would sign it there. At ApacheCon we would have a key signing “party” where we recorded each others keys and then would take our list and update the central keystore. When people verify the key they can look at the keystore and see that it is signed by a number of people, who then have their keys by a number of people and so on so you are building a web of trust. Sooner or later there will be someone in that web that you personally know and trust.
Ralph > On Sep 19, 2020, at 11:26 PM, Davyd McColl <dav...@gmail.com> wrote: > > Thanks Matt, I've updated the artifacts on GitHub to have detached > signatures. I had previously also uploaded my key to sks-keyservers.net, but > I've also uploaded to MIT, though search there always times out. > > The document you've linked mentions face-to-face interactions to get my key > into the official KEYS file. Not sure how many apache people are at my end of > the world (Durban, South Africa), but I can do an online meeting if that > helps. Last release, Ralph said I should sign, so I did. I'm new to signing > release artifacts - I've generally relied on authentication during upload as > verification of authenticity, with 2FA wherever possible (GitHub and NPM; > nuget survives with an apikey - but for the last 2 releases, I've regenerated > the key on each use and only supplied it on the cli at upload, so as not to > store it locally) > > -d > > > On September 19, 2020 22:23:41 Matt Sicker <boa...@gmail.com> wrote: > >> Oh and there's a bit of an issue with the signed files: it looks like >> you included _signed files_ rather than detached signatures. Thus, the >> .asc files are only verifying themselves rather than the accompanying >> file. >> >> There's a --detached option in gpg for this (yeah, it's always had a bad UI). >> >> On Sat, 19 Sep 2020 at 15:19, Matt Sicker <boa...@gmail.com> wrote: >>> >>> The KEYS file [1] that's linked on the download page does not have >>> your key in it. Neither does other KEYS file [2]. Check out [3] for >>> more info. >>> >>> [1]: https://downloads.apache.org/logging/log4net/KEYS >>> [2]: https://downloads.apache.org/logging/KEYS >>> [3]: https://infra.apache.org/release-signing.html#keys-policy >>> >>> >>> >>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl <dav...@gmail.com> wrote: >>> > >>> > Thanks Matt, I've done so. Hopefully that makes it easier to verify >>> > artifacts that I have signed. >>> > >>> > -d >>> > >>> > >>> > On September 18, 2020 23:11:48 Matt Sicker <boa...@gmail.com> wrote: >>> > >>> > > If you upload your key to your GitHub profile, that also makes it >>> > > simple to find. For example, just add ".gpg" to your profile URL: >>> > > https://github.com/fluffynuts.gpg >>> > > >>> > > On Fri, 18 Sep 2020 at 16:08, Remko Popma <remko.po...@gmail.com> wrote: >>> > >> >>> > >> +1 remko >>> > >> >>> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker <boa...@gmail.com> wrote: >>> > >> >>> > >> > How about your gpg key? I don't think we've imported that to the KEYS >>> > >> > file as far as I can tell? >>> > >> > >>> > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker <boa...@gmail.com> wrote: >>> > >> > > >>> > >> > > Oh sorry, I didn't notice that you uploaded them there (wasn't even >>> > >> > > aware that it was possible to be honest). >>> > >> > > >>> > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl <dav...@gmail.com> >>> > >> > > wrote: >>> > >> > > > >>> > >> > > > Hi Matt >>> > >> > > > >>> > >> > > > Release artifacts are available on the GitHub release page >>> > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) - expand the >>> > >> > assets >>> > >> > > > list if it's collapsed. >>> > >> > > > >>> > >> > > > I'll need someone to upload them to the downloads source as I >>> > >> > > > think I >>> > >> > don't >>> > >> > > > have access to do so (if I'm wrong, I'd love to be corrected, >>> > >> > > > because >>> > >> > I'd >>> > >> > > > be less of an annoyance then!). Ralph has stepped in to help >>> > >> > > > here in >>> > >> > the past. >>> > >> > > > >>> > >> > > > -d >>> > >> > > > >>> > >> > > > >>> > >> > > > On September 18, 2020 20:09:07 Matt Sicker <boa...@gmail.com> >>> > >> > > > wrote: >>> > >> > > > >>> > >> > > > > Do you have links to the release artifacts? The download page >>> > >> > > > > links >>> > >> > to >>> > >> > > > > the live site which doesn't have the artifacts yet since >>> > >> > > > > they're not >>> > >> > > > > released yet. :) >>> > >> > > > > >>> > >> > > > > On Fri, 18 Sep 2020 at 09:05, Davyd McColl >>> > >> > > > > <davyd.mcc...@codeo.co.za> >>> > >> > wrote: >>> > >> > > > >> >>> > >> > > > >> Hi all >>> > >> > > > >> >>> > >> > > > >> I have another potential release available: 2.0.11, tagged as >>> > >> > rc/2.0.11 >>> > >> > > > >> >>> > >> > > > >> Changes are really minor: >>> > >> > > > >> - fixed assembly versioning (all assemblies should report >>> > >> > > > >> 2.0.11.0 >>> > >> > as their >>> > >> > > > >> version now) >>> > >> > > > >> - properly dispose of StreamWriters within logging appenders >>> > >> > (thanks to >>> > >> > > > >> @NicholasNoise) >>> > >> > > > >> >>> > >> > > > >> Binaries are up at >>> > >> > > > >> https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11 >>> > >> > and I've >>> > >> > > > >> pushed to asf-staging for logging, now up at >>> > >> > > > >> https://logging.staged.apache.org/log4net/download_log4net.html >>> > >> > > > >> >>> > >> > > > >> Thanks >>> > >> > > > >> -d >>> > >> > > > > >>> > >> > > > > >>> > >> > > > > >>> > >> > > > > -- >>> > >> > > > > Matt Sicker <boa...@gmail.com> >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> > > -- >>> > >> > > Matt Sicker <boa...@gmail.com> >>> > >> > >>> > >> > >>> > >> > >>> > >> > -- >>> > >> > Matt Sicker <boa...@gmail.com> >>> > >> > >>> > > >>> > > >>> > > >>> > > -- >>> > > Matt Sicker <boa...@gmail.com> >>> >>> >>> >>> -- >>> Matt Sicker <boa...@gmail.com> >> >> >> >> -- >> Matt Sicker <boa...@gmail.com>
