Stefan, Thanks so much for the explanation. This is much clearer.
I found that we have an extant KEYS.TXT at: https://svn.apache.org/repos/asf/incubator/lucene.net/site/download/KEYS.txt Would it be acceptable to simply add to that file, or is this file in the wrong location? Thanks, Troy On Mon, Feb 21, 2011 at 9:38 PM, Stefan Bodewig <bode...@apache.org> wrote: > On 2011-02-21, Troy Howard wrote: > >> Stefan - You indicated that the Apache signing process is >> straightforward and simple, but the documentation is kind of all over >> the place. > > I've never read any of it ;-) > >> It discusses so many edge cases and different methods for doing this >> that it's hard to know what the correct one is. I might be missing >> something. Do you mind breaking it down for me in a very simple step >> by step manner? > > I'll try but skip over the details since they ultimately depend on the > OpenPGP implementation you use. The only implementations I have ever > used were a self-compiled PGP 2.6.x more than ten years ago and several > versions of GnuPG, all of them running on Linux - and I've never used > any GUI of any kind. > > If anything I write below is unclear, please ask and I'll try to figure > out the correct answer. Maybe even by reading the ASF documentation. > > First of all you need an OpenPGP implementation. I use GnuPG, you might > prefer something graphical. > > Then you need a key pair. This should be straight forward to create > with your OpenPGP implementation. It may be best to pick the defaults > offered as algorithms and the longest key length your implementation > offers. > > In retrospect it may have been a good idea if I had created my key in a > way that it expired after ten years since the key length of my key will > no longer be sufficient in a few years (if it still is today). But then > again I can simply create a new one and stop using the old one at one > point in time. > > The next step is to publish the key. There are key servers and > publishing you key there is a command line option in GnuPG. Most of the > key servers have a web frontend where you can simply add your ASCII > armored exported key as well. For example <http://pgpkeys.mit.edu/>. > The key servers automatically propagate keys from one server to the > others so it is sufficient to publish to a single server. > > You should also create a file called KEYS and add it to Lucene.NET's svn > area so all developers can add their keys to it. This one will later be > published in http://www.apache.org/dist/ as the authoritative source. > For an example that also explains how to create the file see > <http://svn.apache.org/repos/asf/ant/antlibs/common/trunk/KEYS> > > The most difficult part is getting your key signed by others. There is > no general rule. You must try to find people who are willing to sign > your key. Most people will only do so if you meet F2F so try to contact > ASF people living close to you. All bigger ASF events have key signing > parties just for this purpose. > > If your key isn't signed by anybody else you can certainly still sign > the releases with it - users are just less likely to have chain of trust > leading to your key. In reality they likely won't have one anyway. > > Finally you create the distribution artifact the way you always did. > Once done you create a detached signature for each of the distribution > artifacts. I.e. if you have foo-1.0-src.zip you sign it which creates > foo-1.0-src.zip.asc. You publish both of them side by side. That is > really all that needs to be done. > > On the download page the link to foo-1.0-src.zip will point to the ASF > mirror system while the one to foo-1.0-src.zip.asc will always point to > www.apache.org. > > Stefan >