You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@quickstep.apache.org by Julian Hyde <jh...@apache.org> on 2017/02/01 00:14:23 UTC

Re: Release Signing

It does say so in the instructions, but I’ll reiterate: be sure to use your apache.org <http://apache.org/> email address for your key. People get spooked if they get a release that is not signed by someone who is not obviously an Apache committer.

Generally the release manager will either build the release on their own machine or download a build to their machine. Then they will sign it on their machine (where their private key is present). Lastly they will upload it (which happens by means of a “svn commit”).

At the same time they will make sure that their key is in KEYS, and if not they will edit KEYS and do another “svn commit”.

Julian

> On Jan 31, 2017, at 3:35 PM, Marc Spehlmann <sp...@gmail.com> wrote:
> 
> One of the steps that must take place before releasing a release tarball is
> to have the release managers digitally sign the tarball.
> 
> Hakan, Jignesh, Harshad I think you all are the release managers. Please
> follow this guide
> 
> http://quickstep.apache.org/release-signing/
> 
> to
> 1) create a key pair
> 2) upload the public key to a public keyserver
> 3) (bonus for now) add the public key to a KEYS file in the root of
> quickstep.
> 
> When the release tarball is ready, we can sign it.
> 
> To be fair, I'm not totally sure how this works because it seems to me that
> everyone has to sign the release with their private key, meaning that it
> must be uploaded to each PC where the private key is held, then signed?
> That seems cumbersome.
> 
> Anyways, steps 1,2 are straightforward and need to be done before we
> resolve that last problem.
> 
> Cheers,
> Marc

Re: Release Signing

Posted by Marc Spehlmann <sp...@gmail.com>.

Thank you for clearing that up.

We need to select a single release manager.

On Wed, Feb 1, 2017 at 9:26 PM, Julian Hyde <jh...@apache.org> wrote:

> Yes, only the release manager needs to sign.
>
> The KEYS file contains all the people who have EVER signed a release.
>
> > On Feb 1, 2017, at 6:20 PM, Jignesh Patel <jm...@gmail.com>
> wrote:
> >
> > That would be nice if that were the case. We are nearly there then!
> >
> > Cheers,
> > Jignesh
> >
> > On 2/1/17, 7:47 PM, "Marc Spehlmann" <sp...@gmail.com> wrote:
> >
> >    It sounds like only one release manager needs to sign it then?
> >
> >
> >
> >
>
>

Re: Release Signing

Posted by Julian Hyde <jh...@apache.org>.

Yes, only the release manager needs to sign.

The KEYS file contains all the people who have EVER signed a release.

> On Feb 1, 2017, at 6:20 PM, Jignesh Patel <jm...@gmail.com> wrote:
> 
> That would be nice if that were the case. We are nearly there then!
> 
> Cheers,
> Jignesh 
> 
> On 2/1/17, 7:47 PM, "Marc Spehlmann" <sp...@gmail.com> wrote:
> 
>    It sounds like only one release manager needs to sign it then?
> 
> 
> 
>

Re: Release Signing

Posted by Jignesh Patel <jm...@gmail.com>.

That would be nice if that were the case. We are nearly there then!

Cheers,
Jignesh 

On 2/1/17, 7:47 PM, "Marc Spehlmann" <sp...@gmail.com> wrote:

    It sounds like only one release manager needs to sign it then?

Re: Release Signing

Posted by Marc Spehlmann <sp...@gmail.com>.

Oh that was one thing I was confused about was the number of signers
needed. I took it that all the release managers need to sign, and that
there are several release managers.

Each manager would need to their private key to the signing process,
something which could only be done by passing the tarball around to
people's private laptop. Obviously, that's not efficient.

It sounds like only one release manager needs to sign it then?

On Tue, Jan 31, 2017 at 6:14 PM, Julian Hyde <jh...@apache.org> wrote:

> It does say so in the instructions, but I’ll reiterate: be sure to use
> your apache.org <http://apache.org/> email address for your key. People
> get spooked if they get a release that is not signed by someone who is not
> obviously an Apache committer.
>
> Generally the release manager will either build the release on their own
> machine or download a build to their machine. Then they will sign it on
> their machine (where their private key is present). Lastly they will upload
> it (which happens by means of a “svn commit”).
>
> At the same time they will make sure that their key is in KEYS, and if not
> they will edit KEYS and do another “svn commit”.
>
> Julian
>
>
>
>
> > On Jan 31, 2017, at 3:35 PM, Marc Spehlmann <sp...@gmail.com>
> wrote:
> >
> > One of the steps that must take place before releasing a release tarball
> is
> > to have the release managers digitally sign the tarball.
> >
> > Hakan, Jignesh, Harshad I think you all are the release managers. Please
> > follow this guide
> >
> > http://quickstep.apache.org/release-signing/
> >
> > to
> > 1) create a key pair
> > 2) upload the public key to a public keyserver
> > 3) (bonus for now) add the public key to a KEYS file in the root of
> > quickstep.
> >
> > When the release tarball is ready, we can sign it.
> >
> > To be fair, I'm not totally sure how this works because it seems to me
> that
> > everyone has to sign the release with their private key, meaning that it
> > must be uploaded to each PC where the private key is held, then signed?
> > That seems cumbersome.
> >
> > Anyways, steps 1,2 are straightforward and need to be done before we
> > resolve that last problem.
> >
> > Cheers,
> > Marc
>
>