I did some digging into the release and release-review procedures and I noticed that one practice is to place a KEYS file in the same folder as the release candidates (and then the release folder) on the Apache site where the candidates are stored. This would include at least the public key that can be used to verify the .asc digital signature on the RC.
I think that can be done now, even with [VOTE]ing in progress, because it is not about the substance of the [VOTE]. - Dennis -----Original Message----- From: Dennis E. Hamilton [mailto:dennis.hamil...@acm.org] Sent: Friday, August 14, 2015 11:12 To: dev@corinthia.incubator.apache.org Subject: RE: [DISCUSS][PRE-VOTE] Release candidate 0.1 I'm sorry that my question was unclear. It was not that I didn't know how to find Jan's public key. My question is how any third party could determine who the release manager is and how to find an authentic version of that committer's public key for verifying the signature on an alleged release (candidate). I know how to find that public key, although apparently it does not correspond to the private key that was used [;<). - Dennis -----Original Message----- From: Peter Kelly [mailto:pmke...@apache.org] Sent: Friday, August 14, 2015 10:22 To: dev@corinthia.incubator.apache.org Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1 > On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <dennis.hamil...@acm.org> > wrote: > > Please provide an authoritative ASF location of the public key to use for > checking the signature. It would be something like a continuously verified > key on this list: <https://people.apache.org/keys/committer/>. https://people.apache.org/keys/committer/jani.asc — Dr Peter M. Kelly pmke...@apache.org PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
