Hi, Yunze Seems that you didn't add your public key here [0]. There is an issue when verifying the Pulsar C++ Client 3.1.2 released files: ``` ➜ pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz' gpg: Signature made 三 2/ 8 16:05:49 2023 CST gpg: using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6 gpg: Can't check signature: No public key ```
I think you need to upload your kesy to [1]. [0] https://archive.apache.org/dist/pulsar/KEYS [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS BR, Zike Yang On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <y...@streamnative.io.invalid> wrote: > > Oh that's right. Then we have to update one of them. > > Thanks, > Yunze > > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <z...@apache.org> wrote: > > > > Hi, Yunze > > > > I think the KEYS file in the release repo is necessary. They are both > > used to verify the release file. Otherwise, the user will fail when > > checking the GPG signature on the release file. > > > > BR, > > Zike Yang > > > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <y...@streamnative.io.invalid> > > wrote: > > > > > > Hi all, > > > > > > I found the GPG keys, which are used in verifying the signatures of > > > release candidates, are much different in dev and release > > > repositories: > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > From here [1], it seems like we need to append the GPG key of a > > > committer into the release repo as well. But it seems that the KEYS > > > file in the release repo is never used. Should we make them > > > consistent? Or just remove the KEYS file in release repo? > > > > > > [1] > > > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files