Hi Xuanwo, Thanks for the helpful input.
- We’ll update future emails to use the official CDN link: https://downloads.apache.org/incubator/teaclave/KEYS . For verification purpose, the file content is identical. Regarding the signing key: We’re moving toward a model where multiple release managers can securely use the same high-assurance signing key. Previously, each release manager generated and managed their own GPG key independently, which led to inconsistent security practices and made key rotation more difficult. In the new setup, the shared GPG key is hardware-backed (e.g., YubiKey), PIN-protected, with expiration date, and maintained by a small group of administrators. Release managers don’t personally own the key but can request access to perform signing operations in a controlled, offline process. This approach improves key protection, simplifies key lifecycle management, and ensures better privilege separation. We understand that the current key name may be confusing. To make its shared nature clearer, we plan to introduce a new key entry with identity set to something like "Teaclave Release Signing Key", which makes it more reasonable for people who are trying to verify the artifacts. I'd love to hear any feedback the community may have on this plan. If it sounds reasonable and compliant with Apache's policy, I can proceed with updating the KEYS file with the new key name and the corresponding signature files. Best, Zhaofeng On Thu, Jun 19, 2025 at 10:53 AM Xuanwo <xua...@apache.org> wrote: > Hi, Zhaofeng > > Thank you for working on this release. This is my first time reviewing > releases, so please let me know if there's any context I should be aware of > beforehand. > > Here are some questsions I have: > > - It's better to use our CDN for the GPG key download URL: > https://downloads.apache.org/incubator/teaclave/KEYS > - I noticed that the release is signed by a different key, > yu...@apache.org, which does not belong to Zhaofeng. Is it signed > automatically in CI? > > On Thu, Jun 19, 2025, at 08:03, Zhaofeng Chen wrote: > > Hi all, > > > > I am pleased to be calling this vote for the release of Apache Teaclave > > TrustZone SDK (incubating) 0.5.0 (release candidate 1). > > > > Although this release follows shortly after the approval of the v0.4.0 on > > June 3, please note that the earlier release was initiated back on > February > > 27 and was significantly delayed due to a prolonged voting process. Since > > then, we’ve made improvements to streamline the process and hope this > > release proceeds more smoothly. > > > > The release note is available in: > > - > > > https://github.com/apache/incubator-teaclave-trustzone-sdk/releases/tag/v0.5.0-rc.1 > > > > The release candidate to be voted over is available at: > > - > > > https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-0.5.0-rc.1/ > > > > The release candidate is signed with a GPG key available at: > > - https://dist.apache.org/repos/dist/release/incubator/teaclave/KEYS > > > > Instructions to verify the release candidate’s signature: > > - > https://teaclave.apache.org/download/#verify-the-integrity-of-the-files > > > > Incubator release checklist for reference: > > - > > > https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist > > > > The release artifacts have passed all GitHub Actions CI checks. You can > > also reproduce the build process manually from source using the > > following > > commands: > > ``` > > $ wget > > > https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-0.5.0-rc.1/apache-teaclave-trustzone-sdk-0.5.0-incubating.tar.gz > > $ tar zxvf apache-teaclave-trustzone-sdk-0.5.0-incubating.tar.gz > > $ cd apache-teaclave-trustzone-sdk-0.5.0-incubating > > $ docker run --rm -it -v$(pwd):/teaclave-trustzone-sdk -w \ > > /teaclave-trustzone-sdk yuanz0/teaclave-trustzone-sdk:ubuntu-24.04 \ > > bash -c "./setup.sh && (./build_optee_libraries.sh optee) && source \ > > environment && make && (cd ci && ./ci.sh)" > > ``` > > > > The vote will be open for at least 72 hours. Anyone can participate > > in testing and voting, not just committers, please feel free to try > > out the release candidate and provide your votes to this thread > > explicitly. > > > > [ ] +1 approve > > [ ] +0 no opinion > > [ ] -1 disapprove with the reason > > > > Best, > > Zhaofeng > > -- > Xuanwo > > https://xuanwo.io/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@teaclave.apache.org > For additional commands, e-mail: dev-h...@teaclave.apache.org > >
