TomEE KEYS update

[Jean-Louis Monteiro <jl...@tomitribe.com>]

Hi all,

Rod reported that we are missing some keys for signature checking of the
binaries.
David, yours isn't the correct one. So maybe you rotated the key to a new
one.

Can you guys make sure your key is there and up to date?
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com

Re: TomEE KEYS update

[David Blevins <da...@gmail.com>]

> On Sep 16, 2021, at 2:00 AM, Jean-Louis Monteiro <jl...@tomitribe.com> wrote:
> 
> Hi all,
> 
> Rod reported that we are missing some keys for signature checking of the
> binaries.
> David, yours isn't the correct one. So maybe you rotated the key to a new
> one.

Here's the revision where the key was added:

    $ svn diff -c 47730 https://dist.apache.org/repos/dist/release/tomee/KEYS

Here's a script that can verify 9.0.0-M7 in a temp dir starting with an empty gpg keys file:

 - https://gist.github.com/dblevins/949096886b293d4aec9af3312c48b4f9

I don't recall what key server I added it to.  It was whatever the Nexus install at repository.apache.org required before it would let me close the repo.

If Rod has a specific keys server he likes, I'm happy to add my key there as well.

I wrote a command in our release tools repo to make it easier for us to add our keys.

 - https://github.com/apache/tomee-release-tools/blob/master/src/main/java/org/apache/openejb/tools/release/cmd/Dist.java#L230-L248

We can expand that to also add it to a keys server.  That's something you have to do to make Nexus happy anyway, so it'd be a very good addition.


-David