I tried once to publish a GPG key I generated on my MBP, but didn't seem to be able to get far with it. Are there any good ASF-centric resources for setting up a GPG key?
Thanks, Mike On Wed, Jun 12, 2019 at 2:20 AM Koji Kawamura <[email protected]> wrote: > Thanks Bryan for the heads up. > > My GPG key had been expired. I've renewed my KEY by extending expiration. > Now I confirmed that my commits is marked as 'verified' on Github. > > Koji > > On Wed, Jun 12, 2019 at 5:43 AM Andy LoPresto <[email protected]> > wrote: > > > > Peter, > > > > If you have specific issues setting it up, I’m happy to help debug. I > haven’t done it recently but am willing to investigate with you. > > > > Andy LoPresto > > [email protected] > > [email protected] > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > > On Jun 11, 2019, at 12:55 PM, Bryan Bende <[email protected]> wrote: > > > > > > I will admit I've never setup GPG signing on Linux. I'm sure there are > > > some additional challenges there. > > > > > > Not sure if it is helpful, but there are a few things related to Linux > > > that are mentioned on this Github page: > > > > > > https://help.github.com/en/articles/telling-git-about-your-signing-key > > > > > > > > > On Tue, Jun 11, 2019 at 3:45 PM Kevin Doran <[email protected]> wrote: > > >> > > >> Yep, I support these suggestions. > > >> > > >> Setting up GPG does have a learning curve for folks that haven't done > > >> it before, but I think our community would be helpful in assisting > > >> folks on the mailing list and Apache NiFi Slack where they run into > > >> trouble. It's a good practice to learn and once setup there's not much > > >> more to do to get the benefits of it. > > >> > > >> Setting up GPG is also required when acting as release manager in > > >> order to sign convenience binaries (and soon, as Andy brought up, > > >> maven release artifacts as well - I think that is also a good idea), > > >> so the effort required to get setup for GPG has lots of benefits for > > >> folks that are interested in RM'ing as well. > > >> > > >> Kevin > > >> > > >> On Tue, Jun 11, 2019 at 3:30 PM Peter Wicks (pwicks) < > [email protected]> wrote: > > >>> > > >>> I like having signed commits. I develop on both Windows and Linux, > but have only had success getting signing working on Windows (which was a > bit complicated as it was). You can see when I switched from mostly Windows > to mostly Linux by when I stopped signing commits... > > >>> > > >>> Thanks, > > >>> Peter > > >>> > > >>> -----Original Message----- > > >>> From: Andy LoPresto <[email protected]> > > >>> Sent: Tuesday, June 11, 2019 1:25 PM > > >>> To: [email protected] > > >>> Subject: [EXT] Re: GitHub Stuff > > >>> > > >>> I strongly support both of these suggestions. Thanks for starting > the conversation Bryan. GPG signing is very important for security and for > encouraging the rest of the community to adopt these practices as well. > > >>> > > >>> > > >>> Andy LoPresto > > >>> [email protected] > > >>> [email protected] > > >>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > >>> > > >>>> On Jun 11, 2019, at 11:42 AM, Bryan Bende <[email protected]> wrote: > > >>>> > > >>>> I had two thoughts related to our GitHub usage that I wanted to > throw > > >>>> out there for PMC members and committers... > > >>>> > > >>>> 1) I think it would be helpful if everyone setup the link between > > >>>> their Apache id and github [1]. Setting up this link puts you into > the > > >>>> nifi-committers group in Apache (currently 17 of us are in there), > and > > >>>> I believe this is what controls the list of users that can be > selected > > >>>> as a reviewer on a pull request. Since PRs are the primary form of > > >>>> contribution, it would be nice if all of the PMC/committers were in > > >>>> the reviewer list, but of course you can continue to commit against > > >>>> Gitbox without doing this. > > >>>> > > >>>> 2) I also think it would be nice if most of the commits in the repo > > >>>> were signed commits that show up as "Verified" in GitHub [2]. Right > > >>>> now I think we lose the verification if the user reviewing the > commit > > >>>> doesn't have signing setup, because when you amend the commit to add > > >>>> "This closes ...", it technically produces a new commit hash, thus > > >>>> making the original signature no longer apply (at least this is > what I > > >>>> think is happening, but other may know more). > > >>>> > > >>>> These are obviously just my opinions and no one has to do these > > >>>> things, but just thought I would throw it out there for discussion > in > > >>>> case anyone wasn't aware. > > >>>> > > >>>> -Bryan > > >>>> > > >>>> [1] > > >>>> > https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitb > > >>>> ox.apache.org%2Fsetup%2F&data=02%7C01%7Cpwicks%40micron.com > %7Cc2f2 > > >>>> > 0a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C > > >>>> > 0%7C636958778999592924&sdata=mJ59FD6KSYn1jXHN0yRRagKf6BHdWn7N1ZXmV > > >>>> 4BtBi8%3D&reserved=0 [2] > > >>>> > https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelp > > >>>> .github.com > %2Fen%2Farticles%2Fsigning-commits&data=02%7C01%7Cpwick > > >>>> s%40micron.com > %7Cc2f20a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b1 > > >>>> > 1bac1d563c806f%7C0%7C0%7C636958778999592924&sdata=%2BiByT0SfcxSsoL > > >>>> XgS4VFLI1DTBn9BW3vD1iPvCCqRSI%3D&reserved=0 > > >>> > > >
