You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vxquery.apache.org by Vinayak Borkar <vi...@gmail.com> on 2013/11/27 05:39:36 UTC
Getting KEYS in order
Hi,
What is the best way for me to get my verified KEYS setup so that I can
create and sign releases?
Thanks,
Vinayak
Re: Getting KEYS in order
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Wed, Nov 27, 2013 at 8:14 AM, Till Westmann <we...@gmail.com> wrote:
> I think it is usual to create a specific code signing key that is only used
> for this purpose (at least that's what I did).
+1
> So I think that the best way would be to create such a key and to meet to
> allow me to sign it.
> This doc contains information about what key properties are currently
> recommended (and a lot more ...): http://www.apache.org/dev/release-signing
The high level overview is:
1. Install GnuPG.
2. Generate a key for your @apache.org mailing address (appropriate strength,
keeping revocation certificates around, yada yada)
3. Append the public key to
https://dist.apache.org/repos/dist/release/incubator/vxquery/KEYS
4. Publish the public key on pgp.mit.edu.
5. Use your private key to generate .asc signatures for releases, similar to
generating checksums.
6. Join the Apache web of trust -- important sooner or later, but not a
prerequisite to serving as RM for VXQuery's next release.
In addition to the page Till sent you to, there's this one:
http://www.apache.org/dev/openpgp.html
Marvin Humphrey
Re: Getting KEYS in order
Posted by Till Westmann <we...@gmail.com>.
Hi,
I think that the right way to add you to the web of trust would be for me
(or anybody else) to sign your key when meeting in person.
Given that we aren't too far apart that should be feasible :)
I think it is usual to create a specific code signing key that is only used
for this purpose (at least that's what I did).
So I think that the best way would be to create such a key and to meet to
allow me to sign it.
This doc contains information about what key properties are currently
recommended (and a lot more ...): http://www.apache.org/dev/release-signing
Cheers,
Till
On Tue, Nov 26, 2013 at 8:39 PM, Vinayak Borkar <vi...@gmail.com> wrote:
> Hi,
>
>
> What is the best way for me to get my verified KEYS setup so that I can
> create and sign releases?
>
>
> Thanks,
> Vinayak
>