> Actually we shouldn't have a "dev" KEYS file. It is confusing.
Make sense to me. Thanks, Zike Yang Zike Yang On Fri, Feb 17, 2023 at 5:37 PM Yunze Xu <y...@streamnative.io.invalid> wrote: > > I've synchronized the missed keys from dev to release, including the > following committers: > - Yunze Xu > - Yuto Furuta > - xiangying > - Baodi Shi > > See https://dist.apache.org/repos/dist/release/pulsar/KEYS > > Regarding whether to drop the KEYS in the dev repo, let's wait more opinions. > > Thanks, > Yunze > > On Fri, Feb 17, 2023 at 5:04 PM Yunze Xu <y...@streamnative.io> wrote: > > > > > When a new committer wants to cut a release they can ask for help to > > the PMC to add their KEY to the "release" KEYS > > > > I agree. We should only allow a PMC member to update the key. > > > > > Seems that you didn't add your public key here [0]. > > > > Yes, I found this issue as well, my key is only added to the dev repo. > > > > I will add the missed keys to the release repo. > > > > Thanks, > > Yunze > > > > On Fri, Feb 17, 2023 at 4:52 PM Zike Yang <z...@apache.org> wrote: > > > > > > Hi, Yunze > > > > > > Seems that you didn't add your public key here [0]. There is an issue > > > when verifying the Pulsar C++ Client 3.1.2 released files: > > > ``` > > > ➜ pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc > > > gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz' > > > gpg: Signature made 三 2/ 8 16:05:49 2023 CST > > > gpg: using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6 > > > gpg: Can't check signature: No public key > > > ``` > > > > > > I think you need to upload your kesy to [1]. > > > > > > [0] https://archive.apache.org/dist/pulsar/KEYS > > > [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > BR, > > > Zike Yang > > > > > > On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <y...@streamnative.io.invalid> > > > wrote: > > > > > > > > Oh that's right. Then we have to update one of them. > > > > > > > > Thanks, > > > > Yunze > > > > > > > > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <z...@apache.org> wrote: > > > > > > > > > > Hi, Yunze > > > > > > > > > > I think the KEYS file in the release repo is necessary. They are both > > > > > used to verify the release file. Otherwise, the user will fail when > > > > > checking the GPG signature on the release file. > > > > > > > > > > BR, > > > > > Zike Yang > > > > > > > > > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu > > > > > <y...@streamnative.io.invalid> wrote: > > > > > > > > > > > > Hi all, > > > > > > > > > > > > I found the GPG keys, which are used in verifying the signatures of > > > > > > release candidates, are much different in dev and release > > > > > > repositories: > > > > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > > > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > > > > > > > > > > > From here [1], it seems like we need to append the GPG key of a > > > > > > committer into the release repo as well. But it seems that the KEYS > > > > > > file in the release repo is never used. Should we make them > > > > > > consistent? Or just remove the KEYS file in release repo? > > > > > > > > > > > > [1] > > > > > > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files