Hi Felix, Ok by me if you want to be release manager on 5.1 Thanks for your clarifications. Maybe amending the documentation of our release process would help .
For example to amend KEYS: (gpg --list-sigs "First-Name Last-Name" && gpg --armor --export "First-Name Last-Name") >> KEYS See my notes inline. Thanks On Thu, Feb 7, 2019 at 7:58 AM Felix Schumacher < felix.schumac...@internetallee.de> wrote: > > > Am 6. Februar 2019 22:39:24 MEZ schrieb Philippe Mouawad < > p.moua...@ubik-ingenierie.com>: > >Hello, > > > >We now have : > > > > - 30 enhancements > > - 51 bugfixes > > > >I think the nightly is ready to be released. > > > >What's your opinion ? > > Yes. We should do a release. > > >Is there a volunteer for release management ? > > I would be willing to do so, but I would need a pgp key like you do :) > > >If not I'll try to , but I see there are some steps where I'll need > >help > >from usual release manager: > >I don't understand this: > > > > - > > > > If necessary, update the META file with your GPG key id (if you act as > > the release manager for the first time. Please visit > >https://checker.apache.org/doc/README.html ) => HOW DO I GET The key > >id > > ? > > You generate a pgp/gpg key pair. The key from that pair has an ID that is > assigned automatically upon generation. > If you mean personal one for my apache id, I did that. > > The public part of the pair will have to be signed by some known keys, so > that it can be verified by others that have no direct contact to you (but > trust the known keys). > I don't remember how I did this but it seems it is also done > > > - > > - The META file needs to be signed by the PMC Chair of project with > > this command: > > > >gpg -u emailofpmcchairjme...@apache.org --armor --output META.asc > >--detach-sig META > > This is done to have a known place where our key ids can be found. Those > key ids are signed by the chair, so others can verify that the project > trusts those values. > So the documentation is wrong ? It should be : The META file needs to be signed by the release manager with this command: gpg -u emailofreleasemanagermemberofpmcchairjme...@apache.org <emailofpmcchairjme...@apache.org> --armor --output META.asc --detach-sig META Or I misunderstand ? > > > >=> Can I sign it or must it be milamber ? > > The meta file seems to be signed by milamber (but only when the id's are > added) > So If I add my ID to KEYS, can I (you) sign it, or must it be Milamber ? > > > > > > > - To verify the good signature, use this command: > > > >$ gpg --verify META.asc METAgpg: Signature made mar. 12 sept. 2017 > >18:05:19 WESTgpg: using RSA key > >C4923F9ABFB2F1A06F08E88BAC214CAA0612B399gpg: issuer > >"milam...@apache.org"gpg: Good signature from "Milamber (ASF) > ><milam...@apache.org>" [ultimate]gpg: aka "Milamber > >(Milamberspace) <milambersp...@gmail.com>" [ultimate] > > > >=> When I do it > >gpg --verify META.asc META > >gpg: Signature made Tue 12 Sep 2017 05:05:19 PM UTC using RSA key ID > >0612B399 > >gpg: Can't check signature: No public key > > I haven't tried that one, will have to do it when I am home again. > > > > > > >Sorry for stupid questions. > > PGP is hard to understand and to get correctly handled. > I agree :-) > > Regards, > Felix > > > > > > >Regards > >Philippe > > > > > > > > > > > > > > > > > ><https://www.openstreetmap.org/#map=18/50.69454/3.16455> > -- Cordialement. Philippe Mouawad.