Chris or Devaraj,
So I think I've done mostly everything required to prep for signing a
release, with one known exception. It looks like I'm also supposed to
upload my exported armored public key to either the git repository or
the site. Can you clarify the correct location.
So other than this can one of you verify that I've followed the steps
correctly? I have a knox-0.2.0-SNAPSHOT-src.zip.asc that I can attached
to an email if that is appropriate. It seems like only the source
distribution is signed. Is that correct?
Kevin.
On 3/23/13 1:08 AM, Mattmann, Chris A (388J) wrote:
Hi Kevin,
On 3/21/13 2:42 PM, "Kevin Minder" <[email protected]> wrote:
Hi Everyone,
I just pushed changes that I hope are a step toward releasability.
Basically you can now use "ant release sign" to create signed release
artifacts.
It creates these files in target/0.2.0-SNAPSHOT or whatever the current
version is.
I'm still not sure about how the KEYS should be handled and that
probably needs to change.
KEYS
knox-0.2.0-SNAPSHOT-src.zip
knox-0.2.0-SNAPSHOT-src.zip.asc
knox-0.2.0-SNAPSHOT-src.zip.md5
knox-0.2.0-SNAPSHOT-src.zip.sha
knox-0.2.0-SNAPSHOT.zip
knox-0.2.0-SNAPSHOT.zip.asc
knox-0.2.0-SNAPSHOT.zip.md5
knox-0.2.0-SNAPSHOT.zip.sha
For KEYS, see:
http://www.apache.org/dev/release-signing.html
http://httpd.apache.org/dev/verification.html
For "ant sign" to work you will need GNU Privacy Guard
(http://www.gnupg.org/) installed on your system and have generated RSA
4096 bit keys.
The build.xml might need to be tweaked to run on systems other than a mac.
You can run "ant release" without signing.
Mentors,
What is the right way to go about testing this?
In addition I assume that we won't be using an untrusted key so who will
actually create the release and stage? Devarj?
You should add your key to id.apache.org.
Then your ASC file (if it's not in the web of trust as RM), will work
but just claim that it's a good key, but an untrusted one. That's fine.
I'll have to find a key signing party before I can do it.
No you won't you're fine :)
It will also create an email like below in target/vote.txt
From: [email protected]
To: [email protected]
Subject: [VOTE] Release Apache Knox (Incubator) 0.2.0-SNAPSHOT
A candidate for the Apache Knox (Incubator) 0.2.0-SNAPSHOT release is
available at:
http://people.apache.org/~kminder/knox/0.2.0-SNAPSHOT/
The release candidate is a zip archive of the sources in:
http://svn.apache.org/repos/asf/knox/tags/0.2.0-SNAPSHOT/
The SHA1 checksum of the archive is
db8c567ce61df98e1ce7ecb17551e31d26ce6d94.
Please vote on releasing this package as Apache Knox (Incubator)
${gateay-version}.
The vote is open for the next 72 hours and passes if a majority of at
least three +1 ${project-name} PMC votes are cast.
[ ] +1 Release this package as Apache Knox (Incubator) 0.2.0-SNAPSHOT
[ ] -1 Do not release this package because...
Lastly is outputs a reminder about how to stage the release.
[echo] The release candidate has been prepared in:
[echo]
[echo] target/0.2.0-SNAPSHOT
[echo]
[echo] Please stage it to people.apache.org like this:
[echo]
[echo] scp -r target/0.2.0-SNAPSHOT
people.apache.org:public_html/knox/
[echo]
[echo] A release vote template has been generated here:
[echo]
[echo] file://target/vote.txt
Awesome!
Cheers,
Chris
Kevin.
