You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ant.apache.org by Kev Jackson <fo...@gmail.com> on 2006/06/05 08:50:11 UTC
pgp key for signing files
Hi,
I've just run a test build of svn trunk with all the optional jars
(thanks Antoine!). I recall that there were instructions about how
to sign files for release on the apache website, but I can't find
anything ant specific.
In the ant release instructions, there's mention of the shell script
for signing all the files, but again there's no mention of how to
create a key/what tools to use/how to publish said key to public server
I'm going to google some more to see what options are available, but
any advice from people who've previously gone through this would be
appreciated.
Thanks
Kev
--
"All governments are in equal measure good and evil. The best ideal
is anarchy." - Leo Tolstoy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: Upload of Ant to Maven repository [WAS: Re: Re: pgp key for signing
files]
Posted by Steve Loughran <st...@apache.org>.
Antoine Levy-Lambert wrote:
> Hi,
>
> Steve had already sent an email to repository at apache dot org.
>
> http://mail-archives.apache.org/mod_mbox/www-repository/200606.mbox/browser
>
> Also, Carlos Sanchez answered my JIRA issue, giving a pointer to :
>
> http://www.apache.org/dev/release-publishing.html
see this too
http://jakarta.apache.org/commons/releases/index.html
>
> http://www.apache.org/dist/java-repository/ant/jars is the source of
> ibiblio.org regarding everything that comes from apache, so we do not
> have to add uploads to other sites to ReleaseInstructions.
>
> What we should do is figure out how we are going to generate and upload
> POM files (Maven project descriptors) to
> http://www.apache.org/dist/java-repository/ant/jars. This possibly even
> in 2 flavors for Maven 1 and Maven 2 ???
>
Pom2 files. they can downconvert.
This is roughly how we do it on smartfrog. If a project has a .pom file
it gets copied with property expansion. Otherwise we <echo> out a pom
(this is ant1.6.5 compatible)
<!-- ========================================================== -->
<!-- init all the maven2 support -->
<!-- ========================================================== -->
<target name="m2-init"
depends="init,init-proxy,declare-extended-smartfrog-tasks">
<!-- per project, CVS managed override -->
<property file="libraries.properties" />
<!-- central CVS managed libraries list -->
<property file="${smartfrog.components.dir}/libraries.properties" />
<!-- Maven2 stuff
All components build into the org.smartfrog group, unless
otherwise stated, but
are their own artifacts.
-->
<property name="m2.repository"
location="${user.home}/.m2/repository" />
<!-- make the root path of an artifact -->
<macrodef name="m2-makepath">
<attribute name="property"/>
<attribute name="groupIDpath"/>
<attribute name="artifactID" default="@{groupIDpath}"/>
<attribute name="version"/>
<sequential>
<property name="@{property}"
location="${m2.repository}/@{groupIDpath}/@{artifactID}/@{version}" />
</sequential>
</macrodef>
<property name="m2.groupID" value="org.smartfrog" />
<property name="m2.groupID.path" value="org/smartfrog" />
<m2-makepath property="m2.subdir"
groupIDpath="${m2.groupID.path}"
artifactID="${artifact.name}"
version="${Version}" />
<!-- pom setup -->
<property name="target.pom"
location="${dist.lib.dir}/${jarfile.stub}.pom"/>
<property name="project.pom" location="project-template.pom"/>
<available property="project.haspom" file="${project.pom}"/>
</target>
<!-- ========================================================== -->
<!-- POM creation/copy, depending on whether it exists or not -->
<!-- ========================================================== -->
<target name="m2-copy-pom" depends="m2-init" if="project.haspom">
<copy file="${project.pom}" tofile="${target.pom}" >
<!-- we expand ant properties here. -->
<filterchain>
<expandproperties/>
</filterchain>
</copy>
</target>
<!-- inline creation of a very minimal (zero dependency) pom -->
<target name="m2-make-pom" depends="m2-init" unless="project.haspom">
<echo message="Creating Pom ${target.pom}" level="verbose"/>
<echo file="${target.pom}"><![CDATA[<project>
<modelVersion>4.0.0</modelVersion>
<groupId>${m2.groupID}</groupId>
<artifactId>${artifact.name}</artifactId>
<packaging>jar</packaging>
<version>${Version}</version>
</project>
]]></echo>
</target>
<target name="m2-pom" depends="m2-copy-pom,m2-make-pom" />
<!-- ========================================================== -->
<!-- this is not normally for overriding -->
<!-- install the jar, to the local maven2 repository -->
<!-- ========================================================== -->
<target name="m2-install" depends="checksum-target-jar,m2-pom"
description="copy the JAR file local maven repository">
<mkdir dir="${m2.subdir}"/>
<copy file="${target.jar}" todir="${m2.subdir}"/>
<!-- copy a pom -->
<copy file="${target.pom}" todir="${m2.subdir}" failonerror="false"/>
<copy file="${target.jar}.md5" todir="${m2.subdir}"
failonerror="false"/>
</target>
by default, stub poms declare no dependencies *at all*.
for ant we could have a dir src/etc/pom into which the different pom
templates for each component goes
e.g ant-junit.pom has a dependency on junit of ${junit.version}, and on
ant-${ant.version}
the build
1. copies the templates with property expansion enabled (like
"m2-copy-pom" above)
2. creates .md5 checksums of the poms and their artifacts
3. signs this stuff by <exec gpg>
4. scps the files and signatures to a location, the default being the
apache repository, but with any other location supported.
5. could also have a stub announcement email in the same dir, do the
same property-expanding-copy and GPG sign trick to produce authenticated
email for the announcement
-steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: Upload of Ant to Maven repository [WAS: Re: Re: pgp key for signing
files]
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hi,
Steve had already sent an email to repository at apache dot org.
http://mail-archives.apache.org/mod_mbox/www-repository/200606.mbox/browser
Also, Carlos Sanchez answered my JIRA issue, giving a pointer to :
http://www.apache.org/dev/release-publishing.html
http://www.apache.org/dist/java-repository/ant/jars is the source of
ibiblio.org regarding everything that comes from apache, so we do not
have to add uploads to other sites to ReleaseInstructions.
What we should do is figure out how we are going to generate and upload
POM files (Maven project descriptors) to
http://www.apache.org/dist/java-repository/ant/jars. This possibly even
in 2 flavors for Maven 1 and Maven 2 ???
On a related issue, we need to update ReleaseInstructions to take into
account that we moved to svn.
Regards,
Antoine
Antoine Levy-Lambert wrote:
> Hello,
>
> I have created an issue on the MAVEN JIRA to ask the MAVEN colleagues what will be the procedure to upload Ant to the maven repository(ies).
>
> http://jira.codehaus.org/browse/MEV-412
>
> Steve, did you get any news from the repository colleagues ?
>
> Regards,
>
> Antoine
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Upload of Ant to Maven repository [WAS: Re: Re: pgp key for signing
files]
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hello,
I have created an issue on the MAVEN JIRA to ask the MAVEN colleagues what will be the procedure to upload Ant to the maven repository(ies).
http://jira.codehaus.org/browse/MEV-412
Steve, did you get any news from the repository colleagues ?
Regards,
Antoine
-------- Original-Nachricht --------
Datum: Mon, 05 Jun 2006 17:03:13 +0100
Von: Steve Loughran <st...@apache.org>
An: Ant Developers List <de...@ant.apache.org>
Betreff: Re: pgp key for signing files
> >> We also need to look at the release docs to see if it covers
> >> distribution to the maven repository.
> >
> >
> > Does this directory [1] have something to do with Maven ?
> > There are instructions to populate it in the release instructions [2].
> >
> > In any case I would be curious to know what is the use of this
> java-repository.
>
> I'm checking with repository@apache.org, home of the repository police
> -the "repo men" :)
>
>
> -steve
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Steve Loughran <st...@apache.org>.
Antoine Levy-Lambert wrote:
>> -------- Original-Nachricht --------
>> Datum: Mon, 05 Jun 2006 14:40:12 +0100
>> Von: Steve Loughran <st...@apache.org>
>> An: Ant Developers List <de...@ant.apache.org>
>> Betreff: Re: pgp key for signing files
>>
>> We can't sign the binaries themselves, as java suddenly changes into
>> secure mode when that happens.
>
> Hello Steve,
>
> what we do sign using PGP are the .tar.bz2, .tar.gz and .zip files which constitute the binary distribution. This is something different from signing a jar. The individual ant jars are not signed by Java means.
Exactly. Having had an email discussion with ben laurie on the topic, we
should really have separate PGP key purely for signing these artifacts,
that is separate from anything used to encrypt emails. Why so? Because
when the UK goverment key retrieval clause in the RIPA bill engages,
they have the right to demand the decode keys from anyone subject to the
UK courts, namely uk citizens, residents or anyone just passing through
heathrow airport. I know the risk of the goverment demanding your PGP
key so that they can release their own patched version is pretty low,
but the risk is there.
>
>
>> We also need to look at the release docs to see if it covers
>> distribution to the maven repository.
>
>
> Does this directory [1] have something to do with Maven ?
> There are instructions to populate it in the release instructions [2].
>
> In any case I would be curious to know what is the use of this java-repository.
I'm checking with repository@apache.org, home of the repository police
-the "repo men" :)
>
> Regards,
>
> Antoine
>> -steve
>>
>
> [1]http://archive.apache.org/dist/java-repository/ant/
> [2] http://svn.apache.org/viewvc/ant/core/trunk/ReleaseInstructions?revision=278300&view=markup
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> For additional commands, e-mail: dev-help@ant.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: Re: pgp key for signing files
Posted by Antoine Levy-Lambert <an...@gmx.de>.
> -------- Original-Nachricht --------
> Datum: Mon, 05 Jun 2006 14:40:12 +0100
> Von: Steve Loughran <st...@apache.org>
> An: Ant Developers List <de...@ant.apache.org>
> Betreff: Re: pgp key for signing files
>
> We can't sign the binaries themselves, as java suddenly changes into
> secure mode when that happens.
Hello Steve,
what we do sign using PGP are the .tar.bz2, .tar.gz and .zip files which constitute the binary distribution. This is something different from signing a jar. The individual ant jars are not signed by Java means.
>
> We also need to look at the release docs to see if it covers
> distribution to the maven repository.
Does this directory [1] have something to do with Maven ?
There are instructions to populate it in the release instructions [2].
In any case I would be curious to know what is the use of this java-repository.
Regards,
Antoine
>
> -steve
>
[1]http://archive.apache.org/dist/java-repository/ant/
[2] http://svn.apache.org/viewvc/ant/core/trunk/ReleaseInstructions?revision=278300&view=markup
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Steve Loughran <st...@apache.org>.
Antoine Levy-Lambert wrote:
> Hello Kev,
> I do not know *all* the available options.
>
> What I did is that I downloaded Gnu PG (www.gnupg.org), installed it on my computer, generated myself a key. The public part of the key you have to add at the end of a file called KEYS which is in svn and lists the public keys of the ant committers.
>
> How to publish your key to a key server I do not remember. I think I uploaded my public key to a key server, but do not remember off hand how it is called.
>
> You can use GPG to sign the ant binaries and also to sign (or to encrypt) emails. In the release procedure, there are some emails which have to be signed too. Thunderbird has a plugin (Enigmail) which can work with GPG.
>
We can't sign the binaries themselves, as java suddenly changes into
secure mode when that happens. but we can publish signatures of the
checksums, and by signing the email announcement you can provide an
authentication trail to the mirrors.
We also need to look at the release docs to see if it covers
distribution to the maven repository.
-steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Kev Jackson <fo...@gmail.com>.
>>>
>> Well I'm currently in Vietnam, so I guess that no I'm not near
>> enough to anyone (most here seem to be European folks, with 1 or 2
>> USians)
>
> Makes for round the clock support. We've had a good australian
> participation in the past, although Conor is the only person from
> there currently active, I believe.
It's also great for open source that there are many people spread
around as I believe different cultures bring different problem
solving abilities to the table
>
> Its an interesting trust problem. You effectively already have some
> credentials we implicitly trust (login rights to the cvs server &
> minotaur, presumably including SSH private keys). Perhaps we can
> bootstrap off that. It doesnt matter that you are who you say you
> are, only that the entity who is committing stuff to the repository
> is the same person who has the PGP key.
>
This is why ID cards prove nothing as the original application for
said ID card can be completely fraudulent (think Day of the Jackal).
UK.gov is severely wrong with regard to this - one reason why I won't
be coming back any time soon.
> I also have an employer issued x500 key, so I can demonstrate that
> I am the person that hp thinks I am, or at least I have their
> smartcard. We can use those to bootstrap trust too. After all, who
> trusts a paper driving license without a photo on it (like my uk one)
>
I too have a loo-paper driving license - practically every other
country treats it with utter contempt when you try to use it as ID!
Here it wouldn't count for anything as it doesn't contain a fingerprint
ok, sorry going OT ....
Kev
--
"It is through disobedience that progress has been made, through
disobedience and through rebellion" - Oscar Wilde
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Steve Loughran <st...@apache.org>.
Kev Jackson wrote:
>
> On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:
>
>> On Mon, 05 Jun 2006, Antoine Levy-Lambert <an...@gmx.de> wrote:
>>
>>> How to publish your key to a key server I do not remember. I think I
>>> uploaded my public key to a key server, but do not remember off hand
>>> how it is called.
>>
>> I prefer http://pgpkeys.mit.edu/ but there are tons of alternatives.
>>
>
> I was going to use this option as it was mentioned on the Apache FAQ re
> signing, and I read elsewhere (perhaps GPG home page?) about it too - it
> seems to be a well established key server.
>
>> Another thing is that it would be good to have signatures on your
>> key. Kev, do you live close enough to anybody of the Ant or any other
>> Apache community to get you key properly signed (most people will
>> require some sort of photo-id in a face-to-face meeting in order to
>> sign your key - thouzgh there may be alternatives).
>>
>
> Well I'm currently in Vietnam, so I guess that no I'm not near enough to
> anyone (most here seem to be European folks, with 1 or 2 USians)
Makes for round the clock support. We've had a good australian
participation in the past, although Conor is the only person from there
currently active, I believe.
> to have
> a face-to-face to prove my id! I may have a business trip to Taiwan at
> some point in the next few weeks - but not before the end of the world cup.
>
> I've never done this whole pgp thing before, and reading the gpg home
> page makes it seem partly simple (gen keys) and partly extremely
> complicated (signing). Fortunately OSX seems to come with gpg
> installed, unfortunately it's the complicated signing part that I've
> still not fully understood (I get it conceptually, but I think the
> explanation ont'web is confusing me more than anything).
>
> Thanks
> Kev
Its an interesting trust problem. You effectively already have some
credentials we implicitly trust (login rights to the cvs server &
minotaur, presumably including SSH private keys). Perhaps we can
bootstrap off that. It doesnt matter that you are who you say you are,
only that the entity who is committing stuff to the repository is the
same person who has the PGP key.
I also have an employer issued x500 key, so I can demonstrate that I am
the person that hp thinks I am, or at least I have their smartcard. We
can use those to bootstrap trust too. After all, who trusts a paper
driving license without a photo on it (like my uk one)
-steve
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Stefan Bodewig <bo...@apache.org>.
On Tue, 6 Jun 2006, Kev Jackson <fo...@gmail.com> wrote:
> On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:
>> Another thing is that it would be good to have signatures on your
>> key.
>
> Well I'm currently in Vietnam, so I guess that no I'm not near
> enough to anyone
True. No ASF members either (the closest ones probably are in Japan).
> I've never done this whole pgp thing before, and reading the gpg
> home page makes it seem partly simple (gen keys) and partly
> extremely complicated (signing).
Technically signing is not any more difficult than generating keys.
If you are ceratin a key belongs to a given person, you sign it. What
you do with the signed key is up to your personal taste - I upload it
to the keyservers, others will mail it to the originator.
If you import a key you get the choice to assign trust to it in GPG.
This version of "trust" means "how much do I trust the originator to
really only sign keys after checking they are proper keys". So it is
a measure of trust in signatures by that keys on other keys. You
don't need to sign a key to assign trust to the user.
When you verify a signature on a document GPG will not only check
whether the signature is valid, but also whether you can assume that
the key which has been used to sign the document really belongs to the
person who claims it. If you've signed the key yourself, you've
checked the key yourself already and thus know the key and trust the
signature. If you haven't, all signatures on that key and the trust
you've assigned to the people who signed it will be taken into account
to calculate how much you can be sure the key was real.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Kev Jackson <fo...@gmail.com>.
On 6 Jun 2006, at 01:50, Stefan Bodewig wrote:
> On Mon, 05 Jun 2006, Antoine Levy-Lambert <an...@gmx.de> wrote:
>
>> How to publish your key to a key server I do not remember. I think I
>> uploaded my public key to a key server, but do not remember off hand
>> how it is called.
>
> I prefer http://pgpkeys.mit.edu/ but there are tons of alternatives.
>
I was going to use this option as it was mentioned on the Apache FAQ
re signing, and I read elsewhere (perhaps GPG home page?) about it
too - it seems to be a well established key server.
> Another thing is that it would be good to have signatures on your
> key. Kev, do you live close enough to anybody of the Ant or any other
> Apache community to get you key properly signed (most people will
> require some sort of photo-id in a face-to-face meeting in order to
> sign your key - thouzgh there may be alternatives).
>
Well I'm currently in Vietnam, so I guess that no I'm not near enough
to anyone (most here seem to be European folks, with 1 or 2 USians)
to have a face-to-face to prove my id! I may have a business trip to
Taiwan at some point in the next few weeks - but not before the end
of the world cup.
I've never done this whole pgp thing before, and reading the gpg home
page makes it seem partly simple (gen keys) and partly extremely
complicated (signing). Fortunately OSX seems to come with gpg
installed, unfortunately it's the complicated signing part that I've
still not fully understood (I get it conceptually, but I think the
explanation ont'web is confusing me more than anything).
Thanks
Kev
--
"To be governed is to be watched over, inspected, spied on, directed,
legislated..." - Pierre-Joseph Proudhon
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Stefan Bodewig <bo...@apache.org>.
On Mon, 05 Jun 2006, Antoine Levy-Lambert <an...@gmx.de> wrote:
> How to publish your key to a key server I do not remember. I think I
> uploaded my public key to a key server, but do not remember off hand
> how it is called.
I prefer http://pgpkeys.mit.edu/ but there are tons of alternatives.
Another thing is that it would be good to have signatures on your
key. Kev, do you live close enough to anybody of the Ant or any other
Apache community to get you key properly signed (most people will
require some sort of photo-id in a face-to-face meeting in order to
sign your key - thouzgh there may be alternatives).
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
Re: pgp key for signing files
Posted by Antoine Levy-Lambert <an...@gmx.de>.
Hello Kev,
I do not know *all* the available options.
What I did is that I downloaded Gnu PG (www.gnupg.org), installed it on my computer, generated myself a key. The public part of the key you have to add at the end of a file called KEYS which is in svn and lists the public keys of the ant committers.
How to publish your key to a key server I do not remember. I think I uploaded my public key to a key server, but do not remember off hand how it is called.
You can use GPG to sign the ant binaries and also to sign (or to encrypt) emails. In the release procedure, there are some emails which have to be signed too. Thunderbird has a plugin (Enigmail) which can work with GPG.
Regards,
Antoine
> -------- Original-Nachricht --------
> Datum: Mon, 5 Jun 2006 13:50:11 +0700
> Von: Kev Jackson <fo...@gmail.com>
> An: Ant Developers List <de...@ant.apache.org>
> Betreff: pgp key for signing files
>
> Hi,
>
> I've just run a test build of svn trunk with all the optional jars
> (thanks Antoine!). I recall that there were instructions about how
> to sign files for release on the apache website, but I can't find
> anything ant specific.
>
> In the ant release instructions, there's mention of the shell script
> for signing all the files, but again there's no mention of how to
> create a key/what tools to use/how to publish said key to public server
>
> I'm going to google some more to see what options are available, but
> any advice from people who've previously gone through this would be
> appreciated.
>
> Thanks
> Kev
>
> --
> "All governments are in equal measure good and evil. The best ideal
> is anarchy." - Leo Tolstoy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> For additional commands, e-mail: dev-help@ant.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org