Hi all,

Excuse my confusion regarding this.

So what we need is to sign the NBMs using our PGP keys, right?

I mean, use our PGP keys for release builds and using some other PGP keys for development builds,.


El 10/11/19 a las 14:16, Jaroslav Tulach escribió:
Can’t we change/enhance the way we do signing?

1. If there is an .asc file next to the .nbm one, then use it to verify the 
NBM. Search https://www.apache.org/dist/netbeans/KEYS to get list of approved 
keys. Display trusted, if .asc file is OK.

2. If the NBM comes from Maven central, but isn’t listed among trusted keys, 
then verify the .asc file and display “signed by 3rd party”

With such check in, we don’t need to change existing processes. All Apache 
released  NetBeans  bits will be signed by default.

We have just one “technical” problem: we need somebody(!) to write the code.

PS: This doesn’t  solve the current 11.2 problem.

8. 11. 2019 v 11:53, Neil C Smith <neilcsm...@apache.org>:

On Fri, 8 Nov 2019, 10:35 Geertjan Wielenga, <geert...@apache.org> wrote:

How is the signing done for Apache NetBeans during releases and why can't
that be used for the patch too?

Different kinds of signing. The releases and the updates will be signed as
ASF requires with an external .asc file. But the nbms in the release aren't
currently jar signed (ie. internal signature) so will show as unsigned with
a warning in the IDE. You can see this if you uninstall and reinstall
modules in the IDE. This is what we need to sort out.

And yes, you're not the only one to have been confused by this distinction!

Best wishes,


To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org
For additional commands, e-mail: dev-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:

Reply via email to