Do nightly artifacts need to be signed? For releases what you wrote and what Apache recommends makes total sense. Thus artifacts from cd can’t be signed manually.
Pedro > On 17. Oct 2018, at 22:29, Naveen Swamy <mnnav...@gmail.com> wrote: > > I am collaborating with Zach Kimberg and Qing to work on automatic ( > currently its very tedious and time consuming) publishing the MXNet-Scala > maven package to Apache Snapshot repo(either as nightly or weekly), for > publishing the package the artifacts need to be signed with a committer's > key, however Zach found Apache seems to strictly advise against storing the > PGP Keys, so I suggested to look at what Spark is doing and he found that > they are releasing to Apache Snapshots as a nightly job so they got to be > storing the credentials on the host. > I am looking for advise from Mentors on how to proceed with this? > > One option(not preferable) is to publish to a private Repo or an S3 bucket > and only during the release and the keys continue to remain in the > committers control. > > -- Advise on PGP Key storage on Apache website-- > > > “It is recommended that you create a PGP key for your apache.org address > now (or add that address to an existing key, if you have one). *DO NOT* create > this key on any machine to which multiple users have access and *DO NOT*, > ever, copy your private key to any other shared machine. Release managers > need to take particular care of keys used to sign releases > <https://www.apache.org/dev/release-signing.html#private-key-protection>.“ ( > https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys > ) > > “Strictly speaking, releases must be *verified > <https://svn.apache.org/repos/private/committers/tools/releases/compare_dirs.pl>* > on > hardware owned and controlled by the committer. That means hardware the > committer has physical possession and control of and exclusively full > administrative/superuser access to. That's because only such hardware is > qualified to hold a PGP private key, and the release should be verified on > the machine the private key lives on or on a machine as trusted as that.” ( > https://www.apache.org/legal/release-policy.html#release-signing) > > --- > > > Thanks, Naveen