On Mon, Nov 10, 2025 at 12:58 PM Gary Gregory <[email protected]> wrote: > > > > On Mon, Nov 10, 2025, 10:37 Piotr P. Karwasz <[email protected]> > wrote: >> >> Hi Gary, >> >> On 10.11.2025 14:55, Gary Gregory wrote: >> > On Mon, Nov 10, 2025 at 8:22 AM Piotr P. Karwasz >> > <[email protected]> wrote: >> >> Since your key is effectively the authoritative one for Commons, I’d >> >> expect at least the following steps: >> >> >> >> - Signing the new key with your old key (86fdc7e2a11262cb), >> > >> > There is a discussion in the page above "for and against signing the >> > old key with the new". >> > You're suggesting the opposite? I did neither. >> >> >> The page you linked also instructs to sign the *new* key with the *old* >> one (“Trust the new key” section [1]), but the HTML is malformed: >> >> <h/3 id="sign-new-key">Use the old key to sign the new key
Done and sent the old and new keys to hkps://keyserver.ubuntu.com Thank you Piotr! Gary > > > Hi Piotr, > > Good find! I missed that one. The messed up H3 header doesn't help... > > Thank you, > Gary > >> >> >> >> Is there an established procedure for signing code-signing keys? >> > >> > See https://infra.apache.org/key-transition.html#wot >> >> >> That’s the main issue with the PGP Web of Trust: it recommends security >> practices so strict that, in reality, almost nobody follows them, and >> people end up relying on Trust On First Use instead. >> >> Personally, I’m not interested in verifying the legal identity of any >> PMC member. What matters more to me is a practical verification that the >> new key: >> >> - Was added by someone who has access to the corresponding ASF account >> (as evidenced by the SVN log, for example), >> - And has some continuity with a previous key: for instance, access to a >> GPG key that was used to sign commits or releases in the past. It’s >> easy to add a new GPG key to your ASF account, but it’s hard to use >> one retroactively. ;-) >> >> Piotr >> >> [1] https://infra.apache.org/key-transition.html#trust-new-key >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
