On 31 August 2016 at 15:29, Bert Huijben <b...@qqmail.nl> wrote: >> -----Original Message----- >> From: justin.erenkra...@gmail.com [mailto:justin.erenkra...@gmail.com] On >> Behalf Of Justin Erenkrantz >> Sent: woensdag 31 augustus 2016 14:04 >> To: Bert Huijben <b...@qqmail.nl> >> Cc: dev@serf.apache.org >> Subject: Re: [Vote] Apache Serf 1.3.9 up for signing/testing >> >> On Wed, Aug 31, 2016 at 8:02 AM, Bert Huijben <b...@qqmail.nl> wrote: >> > If you still want to add your signature, please commit them to >> > https://dist.apache.org/repos/dist/release/serf >> >> I don't know what the process for doing that is any more. Any >> pointers? -- justin > > Hi Justin, > > This is the first time we did this for serf, so I just used the method we > used for Subversion for several years. > http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing > > The usual procedure is a checkout of > https://dist.apache.org/repos/dist/dev/serf, which gets you the artifacts and > .asc files > > I scripted the signing for myself by calling > $ gpg -ba -o - "$file" >> "$file.asc" > '-b' is for a detached signature > '-a' is for an ascii signature > '-o -' sends the output to stdout, which allows the forwarding with >> > > Committing the .asc files back stores them in the staging area... but I just > copied them from there to the release area ^/release/serf. But PMC members > can just add the keys to the .asc files there. > > > We currently have 3 signatures, so we have everything we need for > our first proper ASF release tomorrow, but of course it will be useful > if more developers know how to provide the signatures. > Hi Bert,
I noticed that other ASF projects publish .asc files only with one signature. See httpd-2.2.31.tar.gz.asc for example [1]. Also GPG checks only first signature and I'm getting warning like below if .asc file has multiple signatures: [[ gpg: WARNING: multiple signatures detected. Only the first will be checked. ]] [1] https://www.apache.org/dist/httpd/httpd-2.2.31.tar.gz.asc -- Ivan Zhakov
