On Wed, Nov 27, 2013 at 8:14 AM, Till Westmann <[email protected]> wrote: > I think it is usual to create a specific code signing key that is only used > for this purpose (at least that's what I did).
+1 > So I think that the best way would be to create such a key and to meet to > allow me to sign it. > This doc contains information about what key properties are currently > recommended (and a lot more ...): http://www.apache.org/dev/release-signing The high level overview is: 1. Install GnuPG. 2. Generate a key for your @apache.org mailing address (appropriate strength, keeping revocation certificates around, yada yada) 3. Append the public key to https://dist.apache.org/repos/dist/release/incubator/vxquery/KEYS 4. Publish the public key on pgp.mit.edu. 5. Use your private key to generate .asc signatures for releases, similar to generating checksums. 6. Join the Apache web of trust -- important sooner or later, but not a prerequisite to serving as RM for VXQuery's next release. In addition to the page Till sent you to, there's this one: http://www.apache.org/dev/openpgp.html Marvin Humphrey
