You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Yunze Xu <yz...@streamnative.io.INVALID> on 2023/02/17 06:16:28 UTC

Inconsistent GPG keys in dev and release repositories

Hi all,

I found the GPG keys, which are used in verifying the signatures of
release candidates, are much different in dev and release
repositories:
https://dist.apache.org/repos/dist/dev/pulsar/KEYS
https://dist.apache.org/repos/dist/release/pulsar/KEYS

From here [1], it seems like we need to append the GPG key of a
committer into the release repo as well. But it seems that the KEYS
file in the release repo is never used. Should we make them
consistent? Or just remove the KEYS file in release repo?

[1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Zike Yang <zi...@apache.org>.

> Actually we shouldn't have a "dev" KEYS file. It is confusing.

Make sense to me.

Thanks,
Zike Yang


Zike Yang

On Fri, Feb 17, 2023 at 5:37 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
>
> I've synchronized the missed keys from dev to release, including the
> following committers:
> - Yunze Xu
> - Yuto Furuta
> - xiangying
> - Baodi Shi
>
> See https://dist.apache.org/repos/dist/release/pulsar/KEYS
>
> Regarding whether to drop the KEYS in the dev repo, let's wait more opinions.
>
> Thanks,
> Yunze
>
> On Fri, Feb 17, 2023 at 5:04 PM Yunze Xu <yz...@streamnative.io> wrote:
> >
> > > When a new committer wants to cut a release they can ask for help to
> > the PMC to add their KEY to the "release" KEYS
> >
> > I agree. We should only allow a PMC member to update the key.
> >
> > > Seems that you didn't add your public key here [0].
> >
> > Yes, I found this issue as well, my key is only added to the dev repo.
> >
> > I will add the missed keys to the release repo.
> >
> > Thanks,
> > Yunze
> >
> > On Fri, Feb 17, 2023 at 4:52 PM Zike Yang <zi...@apache.org> wrote:
> > >
> > > Hi, Yunze
> > >
> > > Seems that you didn't add your public key here [0]. There is an issue
> > > when verifying the Pulsar C++ Client 3.1.2 released files:
> > > ```
> > > ➜  pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc
> > > gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz'
> > > gpg: Signature made 三  2/ 8 16:05:49 2023 CST
> > > gpg:                using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6
> > > gpg: Can't check signature: No public key
> > > ```
> > >
> > > I think you need to upload your kesy to [1].
> > >
> > > [0] https://archive.apache.org/dist/pulsar/KEYS
> > > [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > >
> > > BR,
> > > Zike Yang
> > >
> > > On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > > >
> > > > Oh that's right. Then we have to update one of them.
> > > >
> > > > Thanks,
> > > > Yunze
> > > >
> > > > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
> > > > >
> > > > > Hi, Yunze
> > > > >
> > > > > I think the KEYS file in the release repo is necessary. They are both
> > > > > used to verify the release file. Otherwise, the user will fail when
> > > > > checking the GPG signature on the release file.
> > > > >
> > > > > BR,
> > > > > Zike Yang
> > > > >
> > > > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I found the GPG keys, which are used in verifying the signatures of
> > > > > > release candidates, are much different in dev and release
> > > > > > repositories:
> > > > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > > > > >
> > > > > > From here [1], it seems like we need to append the GPG key of a
> > > > > > committer into the release repo as well. But it seems that the KEYS
> > > > > > file in the release repo is never used. Should we make them
> > > > > > consistent? Or just remove the KEYS file in release repo?
> > > > > >
> > > > > > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Yunze Xu <yz...@streamnative.io.INVALID>.

I've synchronized the missed keys from dev to release, including the
following committers:
- Yunze Xu
- Yuto Furuta
- xiangying
- Baodi Shi

See https://dist.apache.org/repos/dist/release/pulsar/KEYS

Regarding whether to drop the KEYS in the dev repo, let's wait more opinions.

Thanks,
Yunze

On Fri, Feb 17, 2023 at 5:04 PM Yunze Xu <yz...@streamnative.io> wrote:
>
> > When a new committer wants to cut a release they can ask for help to
> the PMC to add their KEY to the "release" KEYS
>
> I agree. We should only allow a PMC member to update the key.
>
> > Seems that you didn't add your public key here [0].
>
> Yes, I found this issue as well, my key is only added to the dev repo.
>
> I will add the missed keys to the release repo.
>
> Thanks,
> Yunze
>
> On Fri, Feb 17, 2023 at 4:52 PM Zike Yang <zi...@apache.org> wrote:
> >
> > Hi, Yunze
> >
> > Seems that you didn't add your public key here [0]. There is an issue
> > when verifying the Pulsar C++ Client 3.1.2 released files:
> > ```
> > ➜  pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc
> > gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz'
> > gpg: Signature made 三  2/ 8 16:05:49 2023 CST
> > gpg:                using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6
> > gpg: Can't check signature: No public key
> > ```
> >
> > I think you need to upload your kesy to [1].
> >
> > [0] https://archive.apache.org/dist/pulsar/KEYS
> > [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS
> >
> > BR,
> > Zike Yang
> >
> > On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > >
> > > Oh that's right. Then we have to update one of them.
> > >
> > > Thanks,
> > > Yunze
> > >
> > > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
> > > >
> > > > Hi, Yunze
> > > >
> > > > I think the KEYS file in the release repo is necessary. They are both
> > > > used to verify the release file. Otherwise, the user will fail when
> > > > checking the GPG signature on the release file.
> > > >
> > > > BR,
> > > > Zike Yang
> > > >
> > > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > I found the GPG keys, which are used in verifying the signatures of
> > > > > release candidates, are much different in dev and release
> > > > > repositories:
> > > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > > > >
> > > > > From here [1], it seems like we need to append the GPG key of a
> > > > > committer into the release repo as well. But it seems that the KEYS
> > > > > file in the release repo is never used. Should we make them
> > > > > consistent? Or just remove the KEYS file in release repo?
> > > > >
> > > > > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Yunze Xu <yz...@streamnative.io.INVALID>.

> When a new committer wants to cut a release they can ask for help to
the PMC to add their KEY to the "release" KEYS

I agree. We should only allow a PMC member to update the key.

> Seems that you didn't add your public key here [0].

Yes, I found this issue as well, my key is only added to the dev repo.

I will add the missed keys to the release repo.

Thanks,
Yunze

On Fri, Feb 17, 2023 at 4:52 PM Zike Yang <zi...@apache.org> wrote:
>
> Hi, Yunze
>
> Seems that you didn't add your public key here [0]. There is an issue
> when verifying the Pulsar C++ Client 3.1.2 released files:
> ```
> ➜  pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc
> gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz'
> gpg: Signature made 三  2/ 8 16:05:49 2023 CST
> gpg:                using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6
> gpg: Can't check signature: No public key
> ```
>
> I think you need to upload your kesy to [1].
>
> [0] https://archive.apache.org/dist/pulsar/KEYS
> [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS
>
> BR,
> Zike Yang
>
> On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> >
> > Oh that's right. Then we have to update one of them.
> >
> > Thanks,
> > Yunze
> >
> > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
> > >
> > > Hi, Yunze
> > >
> > > I think the KEYS file in the release repo is necessary. They are both
> > > used to verify the release file. Otherwise, the user will fail when
> > > checking the GPG signature on the release file.
> > >
> > > BR,
> > > Zike Yang
> > >
> > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > > >
> > > > Hi all,
> > > >
> > > > I found the GPG keys, which are used in verifying the signatures of
> > > > release candidates, are much different in dev and release
> > > > repositories:
> > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > > >
> > > > From here [1], it seems like we need to append the GPG key of a
> > > > committer into the release repo as well. But it seems that the KEYS
> > > > file in the release repo is never used. Should we make them
> > > > consistent? Or just remove the KEYS file in release repo?
> > > >
> > > > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Zike Yang <zi...@apache.org>.

Hi, Yunze

Seems that you didn't add your public key here [0]. There is an issue
when verifying the Pulsar C++ Client 3.1.2 released files:
```
➜  pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc
gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz'
gpg: Signature made 三  2/ 8 16:05:49 2023 CST
gpg:                using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6
gpg: Can't check signature: No public key
```

I think you need to upload your kesy to [1].

[0] https://archive.apache.org/dist/pulsar/KEYS
[1] https://dist.apache.org/repos/dist/release/pulsar/KEYS

BR,
Zike Yang

On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
>
> Oh that's right. Then we have to update one of them.
>
> Thanks,
> Yunze
>
> On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
> >
> > Hi, Yunze
> >
> > I think the KEYS file in the release repo is necessary. They are both
> > used to verify the release file. Otherwise, the user will fail when
> > checking the GPG signature on the release file.
> >
> > BR,
> > Zike Yang
> >
> > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > >
> > > Hi all,
> > >
> > > I found the GPG keys, which are used in verifying the signatures of
> > > release candidates, are much different in dev and release
> > > repositories:
> > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > >
> > > From here [1], it seems like we need to append the GPG key of a
> > > committer into the release repo as well. But it seems that the KEYS
> > > file in the release repo is never used. Should we make them
> > > consistent? Or just remove the KEYS file in release repo?
> > >
> > > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Enrico Olivelli <eo...@gmail.com>.

Actually we shouldn't have a "dev" KEYS file. It is confusing.

I suggest dropping it.

When a new committer wants to cut a release they can ask for help to
the PMC to add their KEY to the "release" KEYS

Enrico

Il giorno ven 17 feb 2023 alle ore 09:21 Yunze Xu
<yz...@streamnative.io.invalid> ha scritto:
>
> Oh that's right. Then we have to update one of them.
>
> Thanks,
> Yunze
>
> On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
> >
> > Hi, Yunze
> >
> > I think the KEYS file in the release repo is necessary. They are both
> > used to verify the release file. Otherwise, the user will fail when
> > checking the GPG signature on the release file.
> >
> > BR,
> > Zike Yang
> >
> > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > >
> > > Hi all,
> > >
> > > I found the GPG keys, which are used in verifying the signatures of
> > > release candidates, are much different in dev and release
> > > repositories:
> > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > >
> > > From here [1], it seems like we need to append the GPG key of a
> > > committer into the release repo as well. But it seems that the KEYS
> > > file in the release repo is never used. Should we make them
> > > consistent? Or just remove the KEYS file in release repo?
> > >
> > > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Yunze Xu <yz...@streamnative.io.INVALID>.

Oh that's right. Then we have to update one of them.

Thanks,
Yunze

On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <zi...@apache.org> wrote:
>
> Hi, Yunze
>
> I think the KEYS file in the release repo is necessary. They are both
> used to verify the release file. Otherwise, the user will fail when
> checking the GPG signature on the release file.
>
> BR,
> Zike Yang
>
> On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> >
> > Hi all,
> >
> > I found the GPG keys, which are used in verifying the signatures of
> > release candidates, are much different in dev and release
> > repositories:
> > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> >
> > From here [1], it seems like we need to append the GPG key of a
> > committer into the release repo as well. But it seems that the KEYS
> > file in the release repo is never used. Should we make them
> > consistent? Or just remove the KEYS file in release repo?
> >
> > [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Re: Inconsistent GPG keys in dev and release repositories

Posted by Zike Yang <zi...@apache.org>.

Hi, Yunze

I think the KEYS file in the release repo is necessary. They are both
used to verify the release file. Otherwise, the user will fail when
checking the GPG signature on the release file.

BR,
Zike Yang

On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
>
> Hi all,
>
> I found the GPG keys, which are used in verifying the signatures of
> release candidates, are much different in dev and release
> repositories:
> https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> https://dist.apache.org/repos/dist/release/pulsar/KEYS
>
> From here [1], it seems like we need to append the GPG key of a
> committer into the release repo as well. But it seems that the KEYS
> file in the release repo is never used. Should we make them
> consistent? Or just remove the KEYS file in release repo?
>
> [1] https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files