On 2011-02-21, Troy Howard wrote: > Stefan - You indicated that the Apache signing process is > straightforward and simple, but the documentation is kind of all over > the place.
I've never read any of it ;-) > It discusses so many edge cases and different methods for doing this > that it's hard to know what the correct one is. I might be missing > something. Do you mind breaking it down for me in a very simple step > by step manner? I'll try but skip over the details since they ultimately depend on the OpenPGP implementation you use. The only implementations I have ever used were a self-compiled PGP 2.6.x more than ten years ago and several versions of GnuPG, all of them running on Linux - and I've never used any GUI of any kind. If anything I write below is unclear, please ask and I'll try to figure out the correct answer. Maybe even by reading the ASF documentation. First of all you need an OpenPGP implementation. I use GnuPG, you might prefer something graphical. Then you need a key pair. This should be straight forward to create with your OpenPGP implementation. It may be best to pick the defaults offered as algorithms and the longest key length your implementation offers. In retrospect it may have been a good idea if I had created my key in a way that it expired after ten years since the key length of my key will no longer be sufficient in a few years (if it still is today). But then again I can simply create a new one and stop using the old one at one point in time. The next step is to publish the key. There are key servers and publishing you key there is a command line option in GnuPG. Most of the key servers have a web frontend where you can simply add your ASCII armored exported key as well. For example <http://pgpkeys.mit.edu/>. The key servers automatically propagate keys from one server to the others so it is sufficient to publish to a single server. You should also create a file called KEYS and add it to Lucene.NET's svn area so all developers can add their keys to it. This one will later be published in http://www.apache.org/dist/ as the authoritative source. For an example that also explains how to create the file see <http://svn.apache.org/repos/asf/ant/antlibs/common/trunk/KEYS> The most difficult part is getting your key signed by others. There is no general rule. You must try to find people who are willing to sign your key. Most people will only do so if you meet F2F so try to contact ASF people living close to you. All bigger ASF events have key signing parties just for this purpose. If your key isn't signed by anybody else you can certainly still sign the releases with it - users are just less likely to have chain of trust leading to your key. In reality they likely won't have one anyway. Finally you create the distribution artifact the way you always did. Once done you create a detached signature for each of the distribution artifacts. I.e. if you have foo-1.0-src.zip you sign it which creates foo-1.0-src.zip.asc. You publish both of them side by side. That is really all that needs to be done. On the download page the link to foo-1.0-src.zip will point to the ASF mirror system while the one to foo-1.0-src.zip.asc will always point to www.apache.org. Stefan
