Hi Jordan, There are two things you may help:
1. I'm unsure whether it's a strong requirement that signing keys must happen with an offline meeting, but if you trust my public key, you can gpg trust it with your code signing key: gpg --sign-key [email protected] gpg --output signed.key --export --armor [email protected] # and send me the signed.key 2. Directly import KEYS from https://www.apache.org/dist/curator/KEYS and verify 5.2.1 source release zip file gives me: apache-curator-5.2.1-source-release.zip gpg: Signature made 一 3/14 16:07:11 2022 CST gpg: using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C gpg: Good signature from "Enrico Olivelli <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BBE7 232D 7991 050B 54C8 EA0A DC08 637C A615 D22C Although I can see Enrico's key is trusted by multiple committers: https://keyserver.ubuntu.com/pks/lookup?op=index&fingerprint=on&search=0xBBE7232D7991050B54C8EA0ADC08637CA615D22C I'd like to know what output you get if verify signing on 5.2.1 source release. I don't know how to import the WoT infos, also. Best, tison. Jordan Zimmerman <[email protected]> 于2022年7月1日周五 19:32写道: > I've never done the authentication side before - but if I can help let me > know > > > On Jul 1, 2022, at 12:14 PM, tison <[email protected]> wrote: > > > > Although still I don't know how to import the WoT, but it seems I can > find > > committers in the WoT in my city and meet locally personally to join the > > WoT. Will try it out. > > > > Best, > > tison. > > > > > > tison <[email protected]> 于2022年7月1日周五 18:26写道: > > > >> Hi Jordan, > >> > >> Thanks for reviewing the release candidate. > >> > >> I read the doc and try to verify 5.2.1 release artifact and get: > >> > >> apache-curator-5.2.1-source-release.zip > >> gpg: Signature made 一 3/14 16:07:11 2022 CST > >> gpg: using RSA key > BBE7232D7991050B54C8EA0ADC08637CA615D22C > >> gpg: Good signature from "Enrico Olivelli <[email protected]>" > >> [unknown] > >> gpg: WARNING: This key is not certified with a trusted signature! > >> gpg: There is no indication that the signature belongs to the > >> owner. > >> Primary key fingerprint: BBE7 232D 7991 050B 54C8 EA0A DC08 637C A615 > D22C > >> > >> It also has the warning printed. Did I miss something to import? > >> > >> BTW, I may not have opportunity to attend an offline Apache meetup in > this > >> month, which seems the only approach to join the WoT. > >> > >> Best, > >> tison. > >> > >> > >> Jordan Zimmerman <[email protected]> 于2022年7月1日周五 17:53写道: > >> > >>> Hi, > >>> > >>> Zili - your PGP key isn't in the WOT. That should be done before I make > >>> my vote. Apache has docs on this here: > >>> https://infra.apache.org/release-signing.html#web-of-trust < > >>> https://infra.apache.org/release-signing.html#web-of-trust> > >>> > >>> i.e. when I verify the hashes I get: > >>> > >>> gpg: Signature made Thu Jun 30 17:54:38 2022 WEST > >>> gpg: using RSA key > 8B374472FAD328E17F479863B379691FC6E298DD > >>> gpg: Good signature from "Zili Chen (CODE SIGNING KEY) < > [email protected]>" > >>> [unknown] > >>> gpg: WARNING: This key is not certified with a trusted signature! > >>> gpg: There is no indication that the signature belongs to the > >>> owner. > >>> Primary key fingerprint: 8B37 4472 FAD3 28E1 7F47 9863 B379 691F C6E2 > >>> 98DD > >>> > >>> -Jordan > >>> > >>>> On Jun 30, 2022, at 6:21 PM, tison <[email protected]> wrote: > >>>> > >>>> Hello, > >>>> > >>>> This is the vote for Apache Curator version 5.3.0 > >>>> > >>>> *** Please download, test and vote within approx. 72 hours > >>>> > >>>> Note that we are voting upon the source (tag) and binaries are > provided > >>> for > >>>> convenience. > >>>> > >>>> Link to release notes: > >>>> > >>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12314425&version=12351883 > >>>> > >>>> Staging repo: > >>>> https://dist.apache.org/repos/dist/dev/curator/5.3.0/ > >>>> > >>>> Binary artifacts: > >>>> > >>> > https://repository.apache.org/content/repositories/orgapachecurator-1053 > >>>> > >>>> The tag to be voted upon: > >>>> https://github.com/apache/curator/releases/tag/apache-curator-5.3.0 > >>>> > >>>> Curator's KEYS file containing PGP keys we use to sign the release: > >>>> https://www.apache.org/dist/curator/KEYS > >>>> > >>>> [ ] +1 approve > >>>> [ ] +0 no opinion > >>>> [ ] -1 disapprove (and reason why) > >>>> > >>>> Best, > >>>> tison. > >>> > >>> > >
