Hi William, Thanks for working on the RC.
> The fingerprint of PGP key release artifacts are signed with: > DCE2 C33D 41C6 2578 969D BAFE 37D6 ECF8 4E78 BC92 > > My public key to verify signatures can be found in: > https://dist.apache.org/repos/dist/dev/ratis/KEYS I have imported your key from KEYS: $ curl -LO https://dist.apache.org/repos/dist/dev/ratis/KEYS $ gpg --import KEYS ... gpg: key 37D6ECF84E78BC92: public key "William Song (For Apache Project Release) <[email protected]>" imported gpg: Total number processed: 11 gpg: imported: 1 gpg: unchanged: 10 But am unable to verify the signature of the tarball: $ gpg --verify ratis-thirdparty-1.0.4-src.tar.gz.asc ratis-thirdparty-1.0.4-src.tar.gz gpg: Signature made Wed 15 Mar 2023 11:13:20 AM CET gpg: using EDDSA key 8F534410776FEDBE953CA795B5306339B3621069 gpg: Can't check signature: No public key Am I missing something? -Attila
