Hi Ralph
I think I miscommunicated: I'm not regenerating my signing key - just the
nuget API key for package upload. This forces me to log in in nuget.org
which has 2fa and then I only use that key on the cli for the immediate
upload.
My gpg key as at https://GitHub.com/fluffynuts.gpg is the same that I
used
last time.
-d
On September 20, 2020 09:01:36 Ralph Goers <ralph.go...@dslextreme.com>
wrote:
> In the long run you don’t want to be regenerating your signing key for
> every release. The point is that you would upload the key to a central
> keystore and other people would sign it there. At ApacheCon we would
have a
> key signing “party” where we recorded each others keys and then would
take
> our list and update the central keystore. When people verify the key
they
> can look at the keystore and see that it is signed by a number of
people,
> who then have their keys by a number of people and so on so you are
> building a web of trust. Sooner or later there will be someone in that
web
> that you personally know and trust.
>
> Ralph
>
>> On Sep 19, 2020, at 11:26 PM, Davyd McColl <dav...@gmail.com> wrote:
>>
>> Thanks Matt, I've updated the artifacts on GitHub to have detached
>> signatures. I had previously also uploaded my key to sks-keyservers.net,
>> but I've also uploaded to MIT, though search there always times out.
>>
>> The document you've linked mentions face-to-face interactions to get my
key
>> into the official KEYS file. Not sure how many apache people are at my
end
>> of the world (Durban, South Africa), but I can do an online meeting if
that
>> helps. Last release, Ralph said I should sign, so I did. I'm new to
signing
>> release artifacts - I've generally relied on authentication during
upload
>> as verification of authenticity, with 2FA wherever possible (GitHub and
>> NPM; nuget survives with an apikey - but for the last 2 releases, I've
>> regenerated the key on each use and only supplied it on the cli at
upload,
>> so as not to store it locally)
>>
>> -d
>>
>>
>> On September 19, 2020 22:23:41 Matt Sicker <boa...@gmail.com> wrote:
>>
>>> Oh and there's a bit of an issue with the signed files: it looks like
>>> you included _signed files_ rather than detached signatures. Thus, the
>>> .asc files are only verifying themselves rather than the accompanying
>>> file.
>>>
>>> There's a --detached option in gpg for this (yeah, it's always had a
bad UI).
>>>
>>> On Sat, 19 Sep 2020 at 15:19, Matt Sicker <boa...@gmail.com> wrote:
>>>>
>>>> The KEYS file [1] that's linked on the download page does not have
>>>> your key in it. Neither does other KEYS file [2]. Check out [3] for
>>>> more info.
>>>>
>>>> [1]: https://downloads.apache.org/logging/log4net/KEYS
>>>> [2]: https://downloads.apache.org/logging/KEYS
>>>> [3]: https://infra.apache.org/release-signing.html#keys-policy
>>>>
>>>>
>>>>
>>>> On Sat, 19 Sep 2020 at 12:48, Davyd McColl <dav...@gmail.com> wrote:
>>>> >
>>>> > Thanks Matt, I've done so. Hopefully that makes it easier to verify
>>>> > artifacts that I have signed.
>>>> >
>>>> > -d
>>>> >
>>>> >
>>>> > On September 18, 2020 23:11:48 Matt Sicker <boa...@gmail.com>
wrote:
>>>> >
>>>> > > If you upload your key to your GitHub profile, that also makes it
>>>> > > simple to find. For example, just add ".gpg" to your profile URL:
>>>> > > https://github.com/fluffynuts.gpg
>>>> > >
>>>> > > On Fri, 18 Sep 2020 at 16:08, Remko Popma <remko.po...@gmail.com>
wrote:
>>>> > >>
>>>> > >> +1 remko
>>>> > >>
>>>> > >> On Sat, Sep 19, 2020 at 5:56 AM Matt Sicker <boa...@gmail.com>
wrote:
>>>> > >>
>>>> > >> > How about your gpg key? I don't think we've imported that to
the KEYS
>>>> > >> > file as far as I can tell?
>>>> > >> >
>>>> > >> > On Fri, 18 Sep 2020 at 15:53, Matt Sicker <boa...@gmail.com>
wrote:
>>>> > >> > >
>>>> > >> > > Oh sorry, I didn't notice that you uploaded them there
(wasn't even
>>>> > >> > > aware that it was possible to be honest).
>>>> > >> > >
>>>> > >> > > On Fri, 18 Sep 2020 at 14:43, Davyd McColl <dav...@gmail.com>
wrote:
>>>> > >> > > >
>>>> > >> > > > Hi Matt
>>>> > >> > > >
>>>> > >> > > > Release artifacts are available on the GitHub release page
>>>> > >> > > > (https://GitHub.com/Apache/logging-log4net/releases) -
expand the
>>>> > >> > assets
>>>> > >> > > > list if it's collapsed.
>>>> > >> > > >
>>>> > >> > > > I'll need someone to upload them to the downloads source
as I
>>>> think I
>>>> > >> > don't
>>>> > >> > > > have access to do so (if I'm wrong, I'd love to be
corrected,
>>>> because
>>>> > >> > I'd
>>>> > >> > > > be less of an annoyance then!). Ralph has stepped in to
help here in
>>>> > >> > the past.
>>>> > >> > > >
>>>> > >> > > > -d
>>>> > >> > > >
>>>> > >> > > >
>>>> > >> > > > On September 18, 2020 20:09:07 Matt Sicker <
boa...@gmail.com> wrote:
>>>> > >> > > >
>>>> > >> > > > > Do you have links to the release artifacts? The download
page
>>>> links
>>>> > >> > to
>>>> > >> > > > > the live site which doesn't have the artifacts yet since
>>>> they're not
>>>> > >> > > > > released yet. :)
>>>> > >> > > > >
>>>> > >> > > > > On Fri, 18 Sep 2020 at 09:05, Davyd McColl
>>>> <davyd.mcc...@codeo.co.za>
>>>> > >> > wrote:
>>>> > >> > > > >>
>>>> > >> > > > >> Hi all
>>>> > >> > > > >>
>>>> > >> > > > >> I have another potential release available: 2.0.11,
tagged as
>>>> > >> > rc/2.0.11
>>>> > >> > > > >>
>>>> > >> > > > >> Changes are really minor:
>>>> > >> > > > >> - fixed assembly versioning (all assemblies should
report
>>>> 2.0.11.0
>>>> > >> > as their
>>>> > >> > > > >> version now)
>>>> > >> > > > >> - properly dispose of StreamWriters within logging
appenders
>>>> > >> > (thanks to
>>>> > >> > > > >> @NicholasNoise)
>>>> > >> > > > >>
>>>> > >> > > > >> Binaries are up at
>>>> > >> > > > >>
>>>> https://github.com/apache/logging-log4net/releases/tag/rc%2F2.0.11
>>>> > >> > and I've
>>>> > >> > > > >> pushed to asf-staging for logging, now up at
>>>> > >> > > > >>
https://logging.staged.apache.org/log4net/download_log4net.html
>>>> > >> > > > >>
>>>> > >> > > > >> Thanks
>>>> > >> > > > >> -d
>>>> > >> > > > >
>>>> > >> > > > >
>>>> > >> > > > >
>>>> > >> > > > > --
>>>> > >> > > > > Matt Sicker <boa...@gmail.com>
>>>> > >> > >
>>>> > >> > >
>>>> > >> > >
>>>> > >> > > --
>>>> > >> > > Matt Sicker <boa...@gmail.com>
>>>> > >> >
>>>> > >> >
>>>> > >> >
>>>> > >> > --
>>>> > >> > Matt Sicker <boa...@gmail.com>
>>>> > >> >
>>>> > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > Matt Sicker <boa...@gmail.com>
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker <boa...@gmail.com>
>>>
>>>
>>>
>>> --
>>> Matt Sicker <boa...@gmail.com>
>
>
--