Author: buildbot
Date: Tue Nov 27 22:51:00 2012
New Revision: 839821
Log:
Staging update by buildbot for isis
Modified:
websites/staging/isis/trunk/cgi-bin/ (props changed)
websites/staging/isis/trunk/content/ (props changed)
websites/staging/isis/trunk/content/contributors/release-process-release-manager-prereqs.html
websites/staging/isis/trunk/content/contributors/release-process.html
Propchange: websites/staging/isis/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Nov 27 22:51:00 2012
@@ -1 +1 @@
-1414423
+1414453
Propchange: websites/staging/isis/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Nov 27 22:51:00 2012
@@ -1 +1 @@
-1414423
+1414453
Modified:
websites/staging/isis/trunk/content/contributors/release-process-release-manager-prereqs.html
==============================================================================
---
websites/staging/isis/trunk/content/contributors/release-process-release-manager-prereqs.html
(original)
+++
websites/staging/isis/trunk/content/contributors/release-process-release-manager-prereqs.html
Tue Nov 27 22:51:00 2012
@@ -192,11 +192,505 @@
</h1>
</div>
-<p>In order that a contributor can make a release it is necessary for them to
have generated a key and had that key recognized by other members of the ASF.
</p>
-
<h2>Key Generation</h2>
-<p><em>currently documented in 0.2.0-incubating contributor guide, 'Key
Generation' appendix.</em></p>
+<p>In order that a contributor can make a release it is necessary for them to
have generated a key and had that key recognized by other members of the Apache
Software Foundation. </p>
+
+<p>For further background information on this topic, see the <a
href="http://www.apache.org/dev/release-signing.html";>release signing page</a>
and the <a href="http://www.apache.org/dev/openpgp.html#generate-key";>openpgp
page</a> on the Apache wiki.</p>
+
+<h3>Install and Configure gpg</h3>
+
+<p>Download and install GnuPG (gpg), version 1.4.10 or higher.</p>
+
+<p>Then, edit <code>~/.gnupg/gpg.conf</code> (on Windows, the file to edit is
<code>C:\Users\xxx\AppData\Roaming\gnupg\gpg.conf</code>) so that the default
is to generate a strong key:</p>
+
+<pre>
+personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5
ZLIB BZIP2 ZIP Uncompressed
+</pre>
+
+<h3>Key Generation</h3>
+
+<p>The ASF requires that keys are signed with a key (or subkey) based on RSA
4096 bits. To do this:</p>
+
+<pre>
+$ gpg --gen-key
+gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Please select what kind of key you want:
+ (1) RSA and RSA (default)
+ (2) DSA and Elgamal
+ (3) DSA (sign only)
+ (4) RSA (sign only)
+Your selection?
+</pre>
+
+<p>Specify RSA key:</p>
+
+<pre>
+Your selection? 1
+
+RSA keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048)
+</pre>
+
+<p>Specify key length as 4096 bits:</p>
+
+<pre>
+What keysize do you want? (2048) 4096
+Requested keysize is 4096 bits
+
+Please specify how long the key should be valid.
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+Key is valid for? (0)
+</pre>
+
+<p>Specify key as non-expiring:</p>
+
+<pre>
+Key is valid for? (0) 0
+Key does not expire at all
+Is this correct? (y/N) y
+
+You need a user ID to identify your key; the software constructs the user ID
+from the Real Name, Comment and Email Address in this form:
+ "Heinrich Heine (Der Dichter) <[email protected]>"
+
+Real name:
+</pre>
+
+<p>Enter your name, email and comment:</p>
+
+<ul>
+<li>use your apache.org email</li>
+<li>the comment should be "CODE SIGNING KEY"</li>
+</ul>
+
+<pre>
+Real name: Xxx Xxxxxxxxx
+Email address: <[email protected]>
+Comment: CODE SIGNING KEY
+You selected this USER-ID:
+ "Xxx Xxxxxxxxx (CODE SIGNING KEY) <[email protected]>"
+
+Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
+
+You need a Passphrase to protect your secret key.
+Enter passphrase:
+</pre>
+
+<p>Provide a passphrase to secure your key.</p>
+
+<pre>
+Enter passphrase:
+Repeat passphrase:
+</pre>
+
+<p>GPG will goes on to generate your key:</p>
+
+<pre>
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+...+++++
+.........................+++++
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+....+++++
+...+++++
+gpg: key nnnnnnnn marked as ultimately trusted
+public and secret key created and signed.
+
+gpg: checking the trustdb
+gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
+pub 4096R/nnnnnnnn yyyy-mm-dd
+ Key fingerprint = xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
+uid Xxx Xxxxxx <[email protected]>
+sub 4096R/kkkkkkkk yyyy-mm-dd
+</pre>
+
+<p>The public key with id nnnnnnnn should now be stored in
<code>~/.gnupg/pubring.pgp</code> (on Windows 7, this is in
<code>c:/Users/xxx/AppData/Roaming/gnupg/pubring.pgp</code>).</p>
+
+<p>To confirm the key has been generated, use:</p>
+
+<pre>
+$ gpg --list-keys --fingerprint
+</pre>
+
+<p>The key Id is the one true way to identify the key, and is also the last 8
digits of the fingerprint. The corresponding secret key for id
<code>nnnnnnnn</code> is stored in <code>~/.gnupg/secring.pgp</code> (on
Windows 7, this is in
<code>c:/Users/xxx/AppData/Roaming/gnupg/secring.pgp</code>).</p>
+
+<p>It's also worth confirming the key has the correct preference of algorithms
(reflecting the initial configuration we did earlier). For this, enter the gpg
shell for your new key:</p>
+
+<pre>
+$ gpg --edit-key nnnnnnnnn
+>gpg
+</pre>
+
+<p>where <code>nnnnnnnn</code> is your key id. Now, use the 'showpref'
subcommand to list details:</p>
+
+<pre>
+gpg> showpref
+[ultimate] (1). Xxx Xxxxxxxx (CODE SIGNING KEY) <[email protected]>
+ Cipher: AES256, AES192, AES, CAST5, 3DES
+ Digest: SHA512, SHA384, SHA256, SHA224, SHA1
+ Compression: ZLIB, BZIP2, ZIP, Uncompressed
+ Features: MDC, Keyserver no-modify
+
+gpg>
+</pre>
+
+<p>The Digest line should list SHA-512 first and SHA-1 last.</p>
+
+<p>Finally, remember to take a backup of your key and the keyring (ie, backup
the <code>.gnupg</code> directory and its contents).</p>
+
+<h3>Subkey Generation</h3>
+
+<p>It's recommended to use a subkey with an expiry date to sign releases,
rather than your main, non-expiring key. If a subkey is present, then gpg will
use it for signing in preference to the main key.</p>
+
+<p><div class="note"></p>
+
+<p>After (binary) release artifacts are created, they are deployed to the
ASF's Nexus staging repository. However, Nexus seems unable to retrieve a
subkey from the public key server. Until we find a fix/workaround for this, all
releases should be signed just with a regular non-expiring main key.</p>
+
+<p></div></p>
+
+<p>To create a subkey Enter the gpg shell using (the identifier of) your main
key:</p>
+
+<pre>
+gpg --edit-key xxxxxxxx
+gpg>
+</pre>
+
+<p>Type 'addkey' to create a subkey, and enter your passphrase for the main
key:</p>
+
+<pre>
+gpg> addkey
+Key is protected.
+[enter your secret passphrase]
+
+You need a passphrase to unlock the secret key for
+user: "Dan Haywood (CODE SIGNING KEY) <[email protected]>"
+4096-bit RSA key, ID xxxxxxxx, created 2011-02-01
+
+Please select what kind of key you want:
+ (3) DSA (sign only)
+ (4) RSA (sign only)
+ (5) Elgamal (encrypt only)
+ (6) RSA (encrypt only)
+Your selection?
+</pre>
+
+<p>Select (6) to choose an RSA key for encryption:</p>
+
+<p><div class="note"></p>
+
+<p>It would seem that Nexus repository manager does not recognize RSA subkeys
with an 'S'ign usage; see this discussion on a mailing list and this issue on
Sonatype's JIRA</p>
+
+<p></div></p>
+
+<pre>
+Your selection? 6
+
+RSA keys may be between 1024 and 4096 bits long.
+What keysize do you want? (2048) 4096
+
+Requested keysize is 4096 bits
+
+Please specify how long the key should be valid.
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+Key is valid for?
+</pre>
+
+<p>Specify that the key is valid for 1 year:</p>
+
+<pre>
+Key is valid for? (0) 1y
+
+Key expires at yy/MM/dd hh:mm:ss
+Is this correct? (y/N) y
+Really create? (y/N) y
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+...+++++
+.+++++
+
+pub 4096R/xxxxxxxx created: yyyy-mm-dd expires: never usage: SC
+ trust: ultimate validity: ultimate
+sub 4096R/xxxxxxxx created: yyyy-mm-dd expires: yyYY-mm-dd usage: E
+[ultimate] (1). Dan Haywood (CODE SIGNING KEY) <[email protected]>
+
+gpg>
+</pre>
+
+<p>Quit the gpg shell; you now have a subkey.</p>
+
+<h3>Generate a Revocation Certificate</h3>
+
+<p>It's good practice to generate a number of revocation certificates so that
the key can be revoked if it happens to be compromised. See the <a
href="http://www.apache.org/dev/openpgp.html#revocation-certs";>gpg page</a> on
the Apache wiki for more background on this topic.</p>
+
+<p>First, generate a "no reason specified" key:</p>
+
+<pre>
+$ gpg --output revoke-nnnnnnnn-0.asc --armor --gen-revoke nnnnnnnn
+
+sec 4096R/nnnnnnnn yyyy-mm-dd Xxx Xxxxxxx (CODE SIGNING KEY) <[email protected]>
+Create a revocation certificate for this key? (y/N) Y
+
+Please select the reason for the revocation:
+ 0 = No reason specified
+ 1 = Key has been compromised
+ 2 = Key is superseded
+ 3 = Key is no longer used
+ Q = Cancel
+(Probably you want to select 1 here)
+Your decision?
+</pre>
+
+<p>Select 0.</p>
+
+<pre>
+Your decision? 0
+
+Enter an optional description; end it with an empty line:
+</pre>
+
+<p>Provide a description:</p>
+
+<pre>
+> Generic certificate to revoke key, generated at time of key creation.
+>
+Reason for revocation: No reason specified
+Generic certificate to revoke key, generated at time of key creation.
+Is this okay? (y/N)
+</pre>
+
+<p>Confirm this is ok.</p>
+
+<pre>
+Is this okay? y
+
+You need a passphrase to unlock the secret key for
+user: "Xxx Xxxxxxx (CODE SIGNING KEY) <[email protected]>"
+4096-bit RSA key, ID nnnnnnnn, created yyyy-mm-dd
+
+Enter passphrase:
+</pre>
+
+<p>Enter a passphrase:</p>
+
+<pre>
+Enter passphrase:
+Revocation certificate created.
+
+Please move it to a medium which you can hide away; if Mallory gets
+access to this certificate he can use it to make your key unusable.
+It is smart to print this certificate and store it away, just in case
+your media become unreadable. But have some caution: The print system of
+your machine might store the data and make it available to others!
+</pre>
+
+<p>The file <code>revoke-nnnnnnnn-0.asc</code> should be created: Then, backup
this file.</p>
+
+<p>Now repeat the process to create two further revocation certificates:</p>
+
+<ul>
+<li><code>gpg --output revoke-nnnnnnnn-1.asc --armor --gen-revoke
nnnnnnnn</code></p>
+
+<p>Specify reason as "1 = Key has been compromised"</li>
+<li><code>gpg --output revoke-nnnnnnnn-3.asc --armor --gen-revoke
nnnnnnnn</code></p>
+
+<p>Specify reason as "3 = Key is no longer used"</li>
+</ul>
+
+<p>Backup these files also.</p>
+
+<p><div class="note"></p>
+
+<p>if you find that you need to revoke your certificate, this blog post
explains how.</p>
+
+<p></div></p>
+
+<h3>Publish Key</h3>
+
+<p>It is also necessary to publish your key. There are several places where
this should be done. In most cases, you'll need the "armored" " (ie ASCII)
representation of your key. This can be generated using:</p>
+
+<pre>
+$ gpg --armor --export nnnnnnnn > nnnnnnnn.asc
+</pre>
+
+<p>where <code>nnnnnnnn</code> is the id of your public key.</p>
+
+<p>You'll also need the fingerprint of your key. This can be generated
using:</p>
+
+<pre>
+$ gpg --fingerprint nnnnnnnn
+</pre>
+
+<p>The output from this command includes a line beginning "Key fingerprint",
followed by a (space delimited) 40 character hexadecimal fingerprint. The last
8 characters should be the same as the key id (<code>nnnnnnnn</code>).</p>
+
+<h4>Publish to a public key server</h4>
+
+<p>To a publish your key to a public key server (eg the MIT key server hosted
at <a href="http://pgp.mit.edu";>http://pgp.mit.edu</a>), use the procedure
below. Public key servers synchronize with each other, so publishing to one key
server should be sufficient. For background reading on this, see the <a
href="http://www.apache.org/dev/release-signing.html#keyserver-upload";>release
signing page</a> on the Apache wiki, and the <a
href="http://maven.apache.org/developers/release/pmc-gpg-keys.html";>gpg key
page</a> on the Maven wiki.</p>
+
+<p>To send the key up to the key server:</p>
+
+<pre>
+$ gpg --send-keys --keyserver pgp.mit.edu nnnnnnnn
+</pre>
+
+<p>where <code>nnnnnnnn</code> is the key Id.</p>
+
+<p>Alternatively, you can browse to the <a href="http://pgp.mit.edu/";>MIT key
server</a> and paste in the armored representation of your key.</p>
+
+<p>Confirm the key has been added by browsing to submitting the following
URL:</p>
+
+<p><code>http://pgp.mit.edu:11371/pks/lookup?search=0xnnnnnnnnn&op=vindex</code></p>
+
+<p>again, where <code>nnnnnnnn</code> is the key Id.</p>
+
+<h4>Publish to your Apache home directory</h4>
+
+<p>The armored representation of your public key should be uploaded to your
home directory on <code>people.apache.org</code>, and renamed as
<code>.pgpkey</code>. Make sure this is readable by all.</p>
+
+<h4>Publish to your Apache HTML home directory</h4>
+
+<p>The armored representation of your public key should be uploaded to your
<code>public_html</code> home directory on <code>people.apache.org</code>,
named <code>nnnnnnnn.asc</code>. Make sure this is readable by all.</p>
+
+<p>Check the file is accessible by browsing to:</p>
+
+<p><code>http://people.apache.org/~xxxxxxxx/nnnnnnnn.asc</code></p>
+
+<p>where</p>
+
+<ul>
+<li><code>xxxxxxxx</code> is your apache LDAP user name</li>
+<li><code>nnnnnnnn</code> is your public key id.</li>
+</ul>
+
+<h4>FOAF</h4>
+
+<p>First, check out the committers/info directory:</p>
+
+<pre>
+svn co https://svn.apache.org/repos/private/committers/info
+</pre>
+
+<p>Go to Apache <a
href="http://people.apache.org/foaf/foafamatic.html";>FOAF-a-matic</a> web page
to generate the FOAF file text (we copy this text out in a minute):</p>
+
+<ul>
+<li>enter ASF LDAP user name</li>
+<li>enter First name, Last name</li>
+<li>for PGP key fingerprints, add Key
+<ul>
+<li>paste in the key id</li>
+<li>paste in the fingerprint</li>
+</ul></li>
+<li>press "Create"</li>
+</ul>
+
+<p>In the box below, you should have a FOAF file, something like:</p>
+
+<pre>
+<?xml version="1.0" encoding="UTF-8"?>
+<rdf:RDF
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";
+ xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#";
+ xmlns:foaf="http://xmlns.com/foaf/0.1/";
+ xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#";
+ xmlns:pm="http://www.web-semantics.org/ns/pm#";
+ xmlns:wot="http://xmlns.com/wot/0.1/";
+ xmlns:rss="http://purl.org/rss/1.0/";
+ xmlns:dc="http://purl.org/dc/elements/1.1/";
+ xmlns:ical="http://www.w3.org/2002/12/cal/ical#";
+ xmlns:doap="http://usefulinc.com/ns/doap#">
+ <foaf:Person rdf:ID="danhaywood">
+ <foaf:name>Xxx Xxxxxxxx</foaf:name>
+ <foaf:givenname>Xxx</foaf:givenname>
+ <foaf:family_name>Xxxxxxxx</foaf:family_name>
+ <wot:hasKey>
+ <wot:PubKey>
+ <wot:fingerprint>nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn
nnnn</wot:fingerprint>
+ <wot:hex_id>nnnnnnnn</wot:hex_id>
+ </wot:PubKey>
+ </wot:hasKey>
+ </foaf:Person>
+</rdf:RDF>
+</pre>
+
+<p>(If you are creating the FOAF file for the first time, you may want to add
additional details).</p>
+
+<p>From this, copy out the <code>wot:key</code>, and paste into your FDF file
in <code>committers/info</code>:</p>
+
+<pre>
+ <wot:hasKey>
+ <wot:PubKey>
+ <wot:fingerprint>nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn
nnnn</wot:fingerprint>
+ <wot:hex_id>nnnnnnnn</wot:hex_id>
+ </wot:PubKey>
+ </wot:hasKey>
+</pre>
+
+<p>Then, manually add in a <code><wot:pubkeyAddress></code> element
within <code><wot:PubKey></code>:</p>
+
+<pre>
+ <wot:hasKey>
+ <wot:PubKey>
+ <wot:fingerprint>nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn
nnnn</wot:fingerprint>
+ <wot:hex_id>nnnnnnnn</wot:hex_id>
+ <wot:pubkeyAddress
+ rdf:resource="http://people.apache.org/~username/nnnnnnnn.asc/>
+ </wot:PubKey>
+ </wot:hasKey>
+</pre>
+
+<p>ie, referencing your publically exported public key</p>
+
+<p>Finally, commit your changes.</p>
+
+<h4>Save to <code>KEYS</code></h4>
+
+<p>The armored representation of the public key should be saved to Isis'
<code>KEYS</code> file, <a
href="https://svn.apache.org/repo/asf/isis/KEYS";>https://svn.apache.org/repo/asf/isis/KEYS</a>
(ie, parent of <code>trunk</code>).</p>
+
+<p>First, in a new directory, checkout this file:</p>
+
+<pre>
+svn -N co https://svn.apache.org/repos/asf/isis/ .
+</pre>
+
+<p>This should bring down the <code>KEYS</code> file.</p>
+
+<p>Then, export your signature and armored representation.</p>
+
+<pre>
+gpg --list-sigs nnnnnnnn >>KEYS
+gpg --armor --export nnnnnnnn >>KEYS
+</pre>
+
+<p>Then commit.</p>
+
+<h4>id.apache.org</h4>
+
+<p>Log onto <code>id.apache.org</code> and ensure that the finger print of
your public key is correct.</p>
+
+<h3>Attend Key Signing Party (Apache web of trust)</h3>
+
+<p>It is strongly advised that the contributor attend a key signing party at
an Apache event, in order that other Apache committers/members can in person
verify their identity against the key. The process for this is described <a
href="http://www.apache.org/dev/release-signing.html#key-signing-party";>here</a>
and <a href="http://wiki.apache.org/apachecon/PgpKeySigning";>here</a>.</p>
<h2>Update Maven Settings file (<code>~/.m2/settings.xml</code>)</h2>
Modified: websites/staging/isis/trunk/content/contributors/release-process.html
==============================================================================
--- websites/staging/isis/trunk/content/contributors/release-process.html
(original)
+++ websites/staging/isis/trunk/content/contributors/release-process.html Tue
Nov 27 22:51:00 2012
@@ -400,6 +400,8 @@ Ignore any missing license warnings for
<p>In order to prepare a release, you must have a public/private key pair, and
have configured Maven. See <a
href="release-process-release-manager-prereqs.html">release manager
prerequisites</a> for more details.</p>
+<p>... in progress ...</p>
+
</div>
