Den sön 3 apr. 2022 kl 18:34 skrev Mark Phippard <markp...@gmail.com>:
> On Sun, Apr 3, 2022 at 11:22 AM Julian Foad <jul...@foad.me.uk> wrote: > > > > > I'm in the middle of the > > > process of testing, however I have some trouble with the gpg keys [...] > > > > Me too. It appears I need to update my configured keyserver. Then maybe > fetch keys and then maybe the checking will work. That's based on, so far, > finding that checking existing keys fails due to unreachable key server, > and then reading < > https://unix.stackexchange.com/questions/656205/sks-keyservers-gone-what-to-use-instead > > > > I am curious what you are doing ... simply because PGP has always been > a mystery to me. When I used to sign releases I recall that all I did > was take the option to verify the signature was valid. Maybe that was > gpg --verify? I never had a web of trust so that was all I could do > and I do not recall if we even had a KEYS file back then as this was > mostly before the move to ASF. > It seems to be a problem mostly related to my key. I can't get the committer signature list [1] to include my key (and thus the script doesn't download it to the KEYS file). > Here is the other info I can share that may be relevant: > > 1. The KEYS file is from the script that was shared. > 2. I had to create a new GPG key. I noticed it gave me one of the > newer elliptic curve keys. Maybe not all versions of OpenPGP can > handle these? > 3. I uploaded it to the MIT keyserver as per something I read in the > ASF committer docs ... > Actually looking at history I did this: gpg --send-key > EC25FCC105618D04ADB43429C4416167349A3BCB > I've also tried to follow the ASF committer docs and I did exactly the same command. I can find the key in https://keys.openpgp.org. I did miss to verify my e-mail address, don't know if that made a difference. I've successfully verified the address now. 4. I updated my fingerprint in ASF LDAP > Also did this. According to committers keys [1], the "key [is] not found". Since I just created this key a couple weeks ago if it is better that > I generate a new key, re-sign the release and upload new signatures > just let me know what to do. > > Also: > > gpg --version > gpg (GnuPG) 2.3.4 > libgcrypt 1.10.0 > Copyright (C) 2021 Free Software Foundation, Inc. > License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: /Users/markphip/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, CAMELLIA192, CAMELLIA256 > AEAD: EAX, OCB > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > I'm on GnuPG 2.2.19 (the default from Ubuntu on WSL) but it shouldn't make much difference. and > > gpg --list-keys > /Users/markphip/.gnupg/pubring.kbx > ---------------------------------- > pub ed25519 2022-03-21 [SC] > EC25FCC105618D04ADB43429C4416167349A3BCB > uid [ultimate] Mark Phippard <markp...@apache.org> > I've also got my key here. We shall see after 01Z tonight when the committer signature list [1] is updated. /Daniel [1] https://people.apache.org/keys/committer/