On 10/07/2023 19:58, Vladimir Sitnikov wrote:
Hi, I suggest using GitHub Actions to prepare and sign release artifacts. The ASF Security, Infra, and Legal teams have validated the process, so we should be good. See https://infra.apache.org/release-signing.html#automated-release-signing, https://github.com/apache/www-site/pull/235 Note: GitHub only creates, and signs release files; it will not push the files to the ASF servers. Here's an outline of the suggested flow: 1) GitHub UI will have a button for "creating a release candidate" https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ 2) GitHub creates the release candidate artifacts (source package, binaries, maven repository artifacts), and it signs them. The signing uses an Infra-provided machine PGP signing key. 3) Release manager would take the files from GitHub, and publish them to the ASF servers (SVN, Nexus). 4) Then we conduct the vote 5) As the vote passes, the release manager publishes the release The major difference is that the artifacts will be signed with a machine key rather than a private key of the release manager. In the long run, it will pave the way to using https://www.sigstore.dev/ for signing releases. WDYT? +1 [ ] I support the idea
+1 seems good
-1 [ ] Do not implement it because... Vladimir
