It does say so in the instructions, but I’ll reiterate: be sure to use your apache.org <http://apache.org/> email address for your key. People get spooked if they get a release that is not signed by someone who is not obviously an Apache committer.
Generally the release manager will either build the release on their own machine or download a build to their machine. Then they will sign it on their machine (where their private key is present). Lastly they will upload it (which happens by means of a “svn commit”). At the same time they will make sure that their key is in KEYS, and if not they will edit KEYS and do another “svn commit”. Julian > On Jan 31, 2017, at 3:35 PM, Marc Spehlmann <[email protected]> wrote: > > One of the steps that must take place before releasing a release tarball is > to have the release managers digitally sign the tarball. > > Hakan, Jignesh, Harshad I think you all are the release managers. Please > follow this guide > > http://quickstep.apache.org/release-signing/ > > to > 1) create a key pair > 2) upload the public key to a public keyserver > 3) (bonus for now) add the public key to a KEYS file in the root of > quickstep. > > When the release tarball is ready, we can sign it. > > To be fair, I'm not totally sure how this works because it seems to me that > everyone has to sign the release with their private key, meaning that it > must be uploaded to each PC where the private key is held, then signed? > That seems cumbersome. > > Anyways, steps 1,2 are straightforward and need to be done before we > resolve that last problem. > > Cheers, > Marc
