I guess we could use the link above, but we would still have to have a hard coded list of committers, unless we want to allow any Apache committer to sign the artifacts. But it still sounds more secure to do it this way, I'll give it a try tomorrow.
On Wed, Apr 4, 2018, 2:21 PM Stephen Mallette <[email protected]> wrote: > Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading > about how to validate the authenticity of a key a bit and it seems like a > reasonable level of validation would be to verify the key against the list > of apache committers: > > https://people.apache.org/keys/committer/ > > I guess validate-distribution.sh does that in a sense by allowing through > certain keys by hardcoding known ones directly into the shell script. Maybe > just leave it like that and we just add new keys as needed? or is it easy > to alter the validate-distribution.sh script to verify the key against that > link above? >
