Hi, On Fri, Feb 12, 2010 at 1:43 AM, Daniel Wilson <[email protected]> wrote: > re: the .Net binaries, I have them built ... and strong named / signed in > the .Net fashion. Mixing PGP signing w/ signing for inclusion in the GAC is > not, as far as I can tell, supported. Application of the 2nd signature > invalidates the first. For .Net assemblies strong naming is, in my opinion, > more suitable than a PGP signature.
OK, thanks! The reason why a PGP signature is needed is so that the release artifacts are bound to the Apache web of trust. The signature doesn't need to be embedded in the DLLs, in fact a single PGP signature for the entire zip archive you created should be good enough. See http://www.apache.org/dev/release-signing.html for background. I can also sign the package with my key, but I'll need some verification beyond email for that. > The binaries are at > http://www.blacklocustsoftware.com/Downloads/PDFBox_100_RC_Net_Binaries.zip... > and I can place them somewhere on Apache if you tell me where. Or > more likely, you'll just want to grab them & incorporate them into the > release. I've got a copy now but there's no way for me to tell whether the package has been tampered with somewhere along the way. If you don't have a GPG setup handy, you can upload a SHA1 hash of the package to people.apache.org or commit it to somewhere in the svn. Both ways should be secure enough for us. BR, Jukka Zitting
