Hey Team, Why should we maintain a separate KEYS file from the one I referenced at:
https://people.apache.org/keys/group/oodt.asc That one is maintained automatically by collecting our GPG fingerprints from id.apache.org? I can see for past releases, but how much do we think people are using anything prior to OODT e.g., 0.7 or 0.8 and I would assert that between my key and Tom’s key there haven’t been RM’s since then… So, thoughts? It’s one less not automatically generated thing we have to manage…? Cheers, Chris On 7/24/17, 5:10 AM, "Tom Barber" <tom.bar...@meteorite.bi> wrote: Good catch Sean: bugg@tom-laptop2:~$ gpg --verify apache-oodt-1.1-src.zip.asc gpg: assuming signed data in `apache-oodt-1.1-src.zip' gpg: Signature made Wed 19 Jul 2017 19:57:50 BST using RSA key ID 0C1E654B gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) < mattm...@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA F8B6 0C1E 654B bugg@tom-laptop2:~$ The key works, but I think the KEYS file needs to be updated in the SVN repo per: https://www.apache.org/dev/release-signing.html#keys-policy For now I'm gonna say -1 unless updating KEYS isn't required. Tom On Mon, Jul 24, 2017 at 5:22 AM, Chris Mattmann <mattm...@apache.org> wrote: > I updated it in id.apache.org, which autogenerates [1], which should be > the > canonical source for our KEYS file. Give it a check in ~1 hour or so > should be > all good. > > Cheers, > Chris > > > > [1] https://people.apache.org/keys/group/oodt.asc > > > > On 7/23/17, 5:33 PM, "Sean Kelly" <ke...@apache.org> wrote: > > That did the trick. > > I'll be +1 if you also update the KEYS file. > > Transcript: > > fatalii 298 % date -u > Mon Jul 24 00:32:49 UTC 2017 > fatalii 299 % gpg --verify apache-oodt-1.1-src.zip.asc > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA key ID > 0C1E654B > gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) > <mattm...@apache.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA F8B6 0C1E > 654B > > > --k > > > Chris Mattmann wrote: > > Hey Sean I think I have a new key on my Mac – can you check? I just > submitted the new > > key to MIT keyserver, can you re-verify and see if that fixes it? > > > > Cheers, > > Chris > > > > > > > > > > On 7/23/17, 5:06 PM, "Sean Kelly"<ke...@apache.org> wrote: > > > > Hi folks: > > > > I realize it's already 72 hours and we have the requisite 3 +1 > votes, > > but I'm definitely in the -1 camp if this release was signed > with the > > wrong key. > > > > I hope it's just user error on my end. > > > > Take care > > --k > > > > > *From:* Sean Kelly<ke...@apache.org> > > > *Date:* 2017-07-22 at 12.54 p > > > *To:* dev@oodt.apache.org > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > Did anyone check the signature? > > > > > > I'm getting an unknown RSA key 0C1E654B: > > > > > > fatalii 278 % date -u > > > Sat Jul 22 17:53:42 UTC 2017 > > > fatalii 279 % gpg --verify apache-oodt-1.1-src.zip.asc > > > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA > key ID 0C1E654B > > > gpg: Can't check signature: No public key > > > > > > --k > > > > > > *From:* Chris Mattmann<mattm...@apache.org> > > > *Date:* 2017-07-19 at 2.01 p > > > *To:* dev@oodt.apache.org > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > Hi Folks, > > > > > > I have posted a 2nd release candidate for the Apache OODT > 1.1 release. The > > > source code is at: > > > > > > https://dist.apache.org/repos/dist/dev/oodt/ > > > > > > For more detailed information, see the included CHANGES.txt > file for details on > > > release contents and latest changes. The release was made > using the OODT > > > release process, documented on the Wiki here: > > > > > > https://cwiki.apache.org/confluence/display/OODT/ > Release+Process > > > > > > The release was made from the OODT 1.1 tag at: > > > > > > https://github.com/apache/oodt/tree/1.1/ > > > > > > A staged Maven repository is available at: > > > > > > https://repository.apache.org/content/repositories/ > orgapacheoodt-1013/ > > > > > > Please vote on releasing these packages as Apache OODT 1.1. > The vote is > > > open for at least the next 72 hours. > > > > > > Only votes from OODT PMC are binding, but folks are welcome > to check the > > > release candidate and voice their approval or disapproval. > The vote passes > > > if at least three binding +1 votes are cast. > > > > > > [ ] +1 Release the packages as Apache OODT 1.1 > > > > > > [ ] -1 Do not release the packages because... > > > > > > Thanks! > > > > > > Chris Mattmann > > > > > > P.S. Here is my +1. > > > > > > > > > > > > > > > > > > > > >
