> On Sep 16, 2021, at 2:00 AM, Jean-Louis Monteiro <[email protected]> > wrote: > > Hi all, > > Rod reported that we are missing some keys for signature checking of the > binaries. > David, yours isn't the correct one. So maybe you rotated the key to a new > one.
Here's the revision where the key was added:
$ svn diff -c 47730 https://dist.apache.org/repos/dist/release/tomee/KEYS
Here's a script that can verify 9.0.0-M7 in a temp dir starting with an empty
gpg keys file:
- https://gist.github.com/dblevins/949096886b293d4aec9af3312c48b4f9
I don't recall what key server I added it to. It was whatever the Nexus
install at repository.apache.org required before it would let me close the repo.
If Rod has a specific keys server he likes, I'm happy to add my key there as
well.
I wrote a command in our release tools repo to make it easier for us to add our
keys.
-
https://github.com/apache/tomee-release-tools/blob/master/src/main/java/org/apache/openejb/tools/release/cmd/Dist.java#L230-L248
We can expand that to also add it to a keys server. That's something you have
to do to make Nexus happy anyway, so it'd be a very good addition.
-David
smime.p7s
Description: S/MIME cryptographic signature
