Thank you Zhaofeng for the explanation. > We understand that the current key name may be confusing. To make its > shared nature clearer, we plan to introduce a new key entry with identity > set to something like "Teaclave Release Signing Key", which makes it more > reasonable for people who are trying to verify the artifacts.
This looks good to me. > In the new setup, the shared GPG key is hardware-backed (e.g., YubiKey), > PIN-protected, with expiration date, and maintained by a small group of > administrators. This can sometimes be challenging, as it may restrict some PMC members from making releases. I know that's not your intention, but it can give the impression that the project is controlled by a small group of people. Here are some questions: - Who will pay for the hardware? - Will all PMC members receive this hardware? - Can PMC members who do not have this hardware still sign releases? However, this isn't a blocker for the release. We can address these issues gradually. On Thu, Jun 19, 2025, at 13:08, Zhaofeng Chen wrote: > Hi Xuanwo, > > Thanks for the helpful input. > > - We’ll update future emails to use the official CDN link: > https://downloads.apache.org/incubator/teaclave/KEYS . For verification > purpose, the file content is identical. > > Regarding the signing key: > We’re moving toward a model where multiple release managers can securely > use the same high-assurance signing key. Previously, each release manager > generated and managed their own GPG key independently, which led to > inconsistent security practices and made key rotation more difficult. > > In the new setup, the shared GPG key is hardware-backed (e.g., YubiKey), > PIN-protected, with expiration date, and maintained by a small group of > administrators. Release managers don’t personally own the key but can > request access to perform signing operations in a controlled, offline > process. This approach improves key protection, simplifies key lifecycle > management, and ensures better privilege separation. > > We understand that the current key name may be confusing. To make its > shared nature clearer, we plan to introduce a new key entry with identity > set to something like "Teaclave Release Signing Key", which makes it more > reasonable for people who are trying to verify the artifacts. > > I'd love to hear any feedback the community may have on this plan. If it > sounds reasonable and compliant with Apache's policy, I can proceed with > updating the KEYS file with the new key name and the corresponding > signature files. > > Best, > Zhaofeng > > On Thu, Jun 19, 2025 at 10:53 AM Xuanwo <xua...@apache.org> wrote: > >> Hi, Zhaofeng >> >> Thank you for working on this release. This is my first time reviewing >> releases, so please let me know if there's any context I should be aware of >> beforehand. >> >> Here are some questsions I have: >> >> - It's better to use our CDN for the GPG key download URL: >> https://downloads.apache.org/incubator/teaclave/KEYS >> - I noticed that the release is signed by a different key, >> yu...@apache.org, which does not belong to Zhaofeng. Is it signed >> automatically in CI? >> >> On Thu, Jun 19, 2025, at 08:03, Zhaofeng Chen wrote: >> > Hi all, >> > >> > I am pleased to be calling this vote for the release of Apache Teaclave >> > TrustZone SDK (incubating) 0.5.0 (release candidate 1). >> > >> > Although this release follows shortly after the approval of the v0.4.0 on >> > June 3, please note that the earlier release was initiated back on >> February >> > 27 and was significantly delayed due to a prolonged voting process. Since >> > then, we’ve made improvements to streamline the process and hope this >> > release proceeds more smoothly. >> > >> > The release note is available in: >> > - >> > >> https://github.com/apache/incubator-teaclave-trustzone-sdk/releases/tag/v0.5.0-rc.1 >> > >> > The release candidate to be voted over is available at: >> > - >> > >> https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-0.5.0-rc.1/ >> > >> > The release candidate is signed with a GPG key available at: >> > - https://dist.apache.org/repos/dist/release/incubator/teaclave/KEYS >> > >> > Instructions to verify the release candidate’s signature: >> > - >> https://teaclave.apache.org/download/#verify-the-integrity-of-the-files >> > >> > Incubator release checklist for reference: >> > - >> > >> https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist >> > >> > The release artifacts have passed all GitHub Actions CI checks. You can >> > also reproduce the build process manually from source using the >> > following >> > commands: >> > ``` >> > $ wget >> > >> https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-0.5.0-rc.1/apache-teaclave-trustzone-sdk-0.5.0-incubating.tar.gz >> > $ tar zxvf apache-teaclave-trustzone-sdk-0.5.0-incubating.tar.gz >> > $ cd apache-teaclave-trustzone-sdk-0.5.0-incubating >> > $ docker run --rm -it -v$(pwd):/teaclave-trustzone-sdk -w \ >> > /teaclave-trustzone-sdk yuanz0/teaclave-trustzone-sdk:ubuntu-24.04 \ >> > bash -c "./setup.sh && (./build_optee_libraries.sh optee) && source \ >> > environment && make && (cd ci && ./ci.sh)" >> > ``` >> > >> > The vote will be open for at least 72 hours. Anyone can participate >> > in testing and voting, not just committers, please feel free to try >> > out the release candidate and provide your votes to this thread >> > explicitly. >> > >> > [ ] +1 approve >> > [ ] +0 no opinion >> > [ ] -1 disapprove with the reason >> > >> > Best, >> > Zhaofeng >> >> -- >> Xuanwo >> >> https://xuanwo.io/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@teaclave.apache.org >> For additional commands, e-mail: dev-h...@teaclave.apache.org >> >> -- Xuanwo https://xuanwo.io/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@teaclave.apache.org For additional commands, e-mail: dev-h...@teaclave.apache.org
