You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2021/11/08 20:28:30 UTC
[airflow] branch main updated: Clarify guidance re trust of keys in
release docs (#19480)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new ae1fa4c Clarify guidance re trust of keys in release docs (#19480)
ae1fa4c is described below
commit ae1fa4c8b2b2d91ab01697e7a201f321c5c767c3
Author: Daniel Standish <15...@users.noreply.github.com>
AuthorDate: Mon Nov 8 12:27:55 2021 -0800
Clarify guidance re trust of keys in release docs (#19480)
* Clarify guidance re trust of keys in release docs
1. Kaxil's key referenced in the docs is expired. I update with the current key.
2. keys.openpgp.org no longer seems to be set as the default (at least it was not on my machine). So I update the key import to specify this server i.e.
3. clarify language concerning the remote key servers
* fix spelling
---
dev/README_RELEASE_AIRFLOW.md | 11 ++++++-----
dev/README_RELEASE_AIRFLOW_UPGRADE_CHECK.md | 11 ++++++-----
dev/README_RELEASE_HELM_CHART.md | 19 ++++++++++---------
dev/README_RELEASE_PROVIDER_PACKAGES.md | 11 ++++++-----
4 files changed, 28 insertions(+), 24 deletions(-)
diff --git a/dev/README_RELEASE_AIRFLOW.md b/dev/README_RELEASE_AIRFLOW.md
index a2ec930..78ad539 100644
--- a/dev/README_RELEASE_AIRFLOW.md
+++ b/dev/README_RELEASE_AIRFLOW.md
@@ -408,7 +408,7 @@ retrieves it from the default GPG keyserver
[OpenPGP.org](https://keys.openpgp.org):
```shell script
-gpg --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.openpgp.org --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
You should choose to import the key when asked.
@@ -418,7 +418,7 @@ errors or timeouts. Many of the release managers also uploaded their keys to the
[GNUPG.net](https://keys.gnupg.net) keyserver, and you can retrieve it from there.
```shell script
-gpg --keyserver keys.gnupg.net --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.gnupg.net --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
Once you have the keys, the signatures can be verified by running this:
@@ -432,10 +432,11 @@ done
This should produce results similar to the below. The "Good signature from ..." is indication
that the signatures are correct. Do not worry about the "not certified with a trusted signature"
-warning. Most of the certificates used by release managers are self signed, that's why you get this
-warning. By importing the server in the previous step and importing it via ID from
+warning. Most of the certificates used by release managers are self-signed, and that's why you get this
+warning. By importing the key either from the server in the previous step or from the
[KEYS](https://dist.apache.org/repos/dist/release/airflow/KEYS) page, you know that
-this is a valid Key already.
+this is a valid key already. To suppress the warning you may edit the key's trust level
+by running `gpg --edit-key <key id> trust` and entering `5` to assign trust level `ultimate`.
```
Checking apache-airflow-2.0.2rc4.tar.gz.asc
diff --git a/dev/README_RELEASE_AIRFLOW_UPGRADE_CHECK.md b/dev/README_RELEASE_AIRFLOW_UPGRADE_CHECK.md
index 1fe973c..ae5dd8d 100644
--- a/dev/README_RELEASE_AIRFLOW_UPGRADE_CHECK.md
+++ b/dev/README_RELEASE_AIRFLOW_UPGRADE_CHECK.md
@@ -330,7 +330,7 @@ retrieves it from the default GPG keyserver
[OpenPGP.org](https://keys.openpgp.org):
```shell script
-gpg --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.openpgp.org --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
You should choose to import the key when asked.
@@ -340,7 +340,7 @@ errors or timeouts. Many of the release managers also uploaded their keys to the
[GNUPG.net](https://keys.gnupg.net) keyserver, and you can retrieve it from there.
```shell script
-gpg --keyserver keys.gnupg.net --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.gnupg.net --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
Once you have the keys, the signatures can be verified by running this:
@@ -354,10 +354,11 @@ done
This should produce results similar to the below. The "Good signature from ..." is indication
that the signatures are correct. Do not worry about the "not certified with a trusted signature"
-warning. Most of the certificates used by release managers are self signed, that's why you get this
-warning. By importing the server in the previous step and importing it via ID from
+warning. Most of the certificates used by release managers are self-signed, and that's why you get this
+warning. By importing the key either from the server in the previous step or from the
[KEYS](https://dist.apache.org/repos/dist/release/airflow/KEYS) page, you know that
-this is a valid Key already.
+this is a valid key already. To suppress the warning you may edit the key's trust level
+by running `gpg --edit-key <key id> trust` and entering `5` to assign trust level `ultimate`.
```
Checking apache-airflow-upgrade-check-1.3.0rc1.tar.gz.asc
diff --git a/dev/README_RELEASE_HELM_CHART.md b/dev/README_RELEASE_HELM_CHART.md
index b595eec..ad10324 100644
--- a/dev/README_RELEASE_HELM_CHART.md
+++ b/dev/README_RELEASE_HELM_CHART.md
@@ -344,7 +344,7 @@ Make sure you have imported into your GPG the PGP key of the person signing the
You can import the whole KEYS file:
-```shell
+```shell script
gpg --import KEYS
```
@@ -352,8 +352,8 @@ You can also import the keys individually from a keyserver. The below one uses K
retrieves it from the default GPG keyserver
[OpenPGP.org](https://keys.openpgp.org):
-```shell
-gpg --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+```shell script
+gpg --keyserver keys.openpgp.org --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
You should choose to import the key when asked.
@@ -362,13 +362,13 @@ Note that by being default, the OpenPGP server tends to be overloaded often and
errors or timeouts. Many of the release managers also uploaded their keys to the
[GNUPG.net](https://keys.gnupg.net) keyserver, and you can retrieve it from there.
-```shell
-gpg --keyserver keys.gnupg.net --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+```shell script
+gpg --keyserver keys.gnupg.net --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
Once you have the keys, the signatures can be verified by running this:
-```shell
+```shell script
for i in *.asc
do
echo -e "Checking $i\n"; gpg --verify $i
@@ -377,10 +377,11 @@ done
This should produce results similar to the below. The "Good signature from ..." is indication
that the signatures are correct. Do not worry about the "not certified with a trusted signature"
-warning. Most of the certificates used by release managers are self signed, that's why you get this
-warning. By importing the server in the previous step and importing it via ID from
+warning. Most of the certificates used by release managers are self-signed, and that's why you get this
+warning. By importing the key either from the server in the previous step or from the
[KEYS](https://dist.apache.org/repos/dist/release/airflow/KEYS) page, you know that
-this is a valid Key already.
+this is a valid key already. To suppress the warning you may edit the key's trust level
+by running `gpg --edit-key <key id> trust` and entering `5` to assign trust level `ultimate`.
```
Checking airflow-1.0.0.tgz.asc
diff --git a/dev/README_RELEASE_PROVIDER_PACKAGES.md b/dev/README_RELEASE_PROVIDER_PACKAGES.md
index f1029ba..6101aa4 100644
--- a/dev/README_RELEASE_PROVIDER_PACKAGES.md
+++ b/dev/README_RELEASE_PROVIDER_PACKAGES.md
@@ -498,7 +498,7 @@ retrieves it from the default GPG keyserver
[OpenPGP.org](https://keys.openpgp.org):
```shell script
-gpg --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.openpgp.org --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
You should choose to import the key when asked.
@@ -508,7 +508,7 @@ errors or timeouts. Many of the release managers also uploaded their keys to the
[GNUPG.net](https://keys.gnupg.net) keyserver, and you can retrieve it from there.
```shell script
-gpg --keyserver keys.gnupg.net --receive-keys 12717556040EEF2EEAF1B9C275FCCD0A25FA0E4B
+gpg --keyserver keys.gnupg.net --receive-keys CDE15C6E4D3A8EC4ECF4BA4B6674E08AD7DE406F
```
Once you have the keys, the signatures can be verified by running this:
@@ -522,10 +522,11 @@ done
This should produce results similar to the below. The "Good signature from ..." is indication
that the signatures are correct. Do not worry about the "not certified with a trusted signature"
-warning. Most of the certificates used by release managers are self signed, that's why you get this
-warning. By importing the server in the previous step and importing it via ID from
+warning. Most of the certificates used by release managers are self-signed, and that's why you get this
+warning. By importing the key either from the server in the previous step or from the
[KEYS](https://dist.apache.org/repos/dist/release/airflow/KEYS) page, you know that
-this is a valid Key already.
+this is a valid key already. To suppress the warning you may edit the key's trust level
+by running `gpg --edit-key <key id> trust` and entering `5` to assign trust level `ultimate`.
```
Checking apache-airflow-2.0.2rc4.tar.gz.asc