Seems like our emails have crossed. At this point you need to
assemble a few trusted keys (yours, Nitin's, Mark's and perhaps
a few other folks' as the minimum set) into a single key file and
make it available in SVN tree that manages ASF releases.
I suggest opening a GEODE jira asking folks to share their keys
specially designed to sign release as comments in that JIRA.
Note that it is best to have an identity bound to our kye clearly
designated as a release management key. E.g.:
https://dist.apache.org/repos/dist/release/bigtop/KEYS
pub 1024D/9475BD5D 2010-10-08
uid Roman V Shaposhnik (CODE SIGNING KEY) <[email protected]>
sig 3 9475BD5D 2011-11-01 Roman V Shaposhnik (CODE SIGNING
KEY) <[email protected]>
Thanks,
Roman.
P.S. I'm kind of a crypto geek in my prior life so please let me know
if more background on how to manange release signing keys would
be useful to you
On Mon, Jan 11, 2016 at 7:44 PM, Anthony Baker <[email protected]> wrote:
> Here’s my key but I’m not sure if it is sufficiently trusted yet:
>
> http://pgp.surfnet.nl/pks/lookup?op=vindex&search=abaker%40apache.org&fingerprint=on
>
> Anthony
>
>
> On Jan 11, 2016, at 6:54 PM, Nitin Lamba <[email protected]> wrote:
>
> Great!
>
> If we're good with the latest versions of NOTICE and LICENSE files, we're
> about done with the src artifacts ready for review by ASF elders.
>
> The next step is code-signing and needs a few committers to have their PGP
> signatures uploaded on a public key server [1]. More details on release
> signing here [2], [3]. Is anyone from Geode PMC already in the 'web of
> trust'? I do see Roman on the list.
>
> - Nitin
>
> [1] https://people.apache.org/committers.html
> [2] http://www.apache.org/dev/release-signing.html#link-into-wot
> [3] http://www.apache.org/dev/openpgp.html#wot
>
>
