Hi, I raised meanwhile two PRs: 1) Removal of KEYS from https://github.com/apache/sling-tooling-release/blob/master/KEYS in https://github.com/apache/sling-tooling-release/pull/7 2) Automatically update public keys prior to checking staged releases in https://github.com/apache/sling-tooling-release/pull/8
Please have a look, Thanks, Konrad > On 15. Jul 2025, at 08:32, Konrad Windszus <k...@apache.org> wrote: > > Hi, > According to [1] the canonical location of our official public GPG keys is > https://dist.apache.org/repos/dist/release/sling/KEYS (exposed via > https://downloads.apache.org/sling/KEYS). However there is also an outdated > KEYS file in [2]. Can we remove the one from [2] and also improve the check > from > https://github.com/apache/sling-tooling-release/blob/master/check_staged_release.sh > to automatically import the newest KEY file prior to checking (maybe with a > dedicated flag)? > WDYT? > Konrad > > [1] - > https://sling.apache.org/documentation/development/release-management.html#appendix-a-creating-and-registering-your-pgp-key > [2] - https://github.com/apache/sling-tooling-release/blob/master/KEYS
