Hi Yes the key is in GitHub Secret. As other ASF projects, the podling uses several GitHub Secrets to automate release. It has been described in the podling dev mailing list and also the semi-automated script was on a PR and reviewed.
Regards JB Le mar. 9 déc. 2025 à 21:53, Ryan Blue <[email protected]> a écrit : > +0 > > More information is needed for me to update to +1. > > I see this signature: > > ``` > [blue@dev tmp]$ gpg --verify apache-polaris-1.3.0-incubating.tar.gz.asc > gpg: assuming signed data in 'apache-polaris-1.3.0-incubating.tar.gz' > gpg: Signature made Tue 25 Nov 2025 01:08:54 AM PST > gpg: using RSA key 6A6532EAD1AE4441ACE054870E971D601C4AD16F > gpg: Good signature from "Apache Polaris <[email protected]>" > [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 6A65 32EA D1AE 4441 ACE0 5487 0E97 1D60 1C4A D16F > ``` > > Since that is not a release manager, this must have been produced by the > release automation scripts that were discussed on the dev list. I took a > quick look, but I don't see how the private key is protected. The release > guide covers manual releases. I'm assuming that this is stored as a github > secret and is only accessible in a workflow that authorized users have > access to? (I see that it must be run by a committer from the thread on the > dev list.) > > I'll change to +1 if someone can let me know how the keys are managed. > > On Tue, Dec 9, 2025 at 9:27 AM Jean-Baptiste Onofré <[email protected]> > wrote: > > > Dear IPMC members, > > > > This is a gentle reminder that the Apache Polaris 1.3.0-incubating (RC2) > > vote still requires a third binding vote to pass. > > > > Thank you, > > > > Regards > > JB > > > > On Mon, Dec 1, 2025 at 9:35 AM Pierre Laporte <[email protected]> > > wrote: > > > > > Hello everyone, > > > > > > The Apache Polaris community has voted and approved the release of > Apache > > > Polaris 1.3.0-incubating (RC2). We now kindly request the IPMC members > > > review and vote for this release. > > > > > > Polaris community vote thread: > > > * https://lists.apache.org/thread/fw8xhobpnoy3mvvw8hxd3r7kw5of4kos > > > > > > Vote result thread: > > > * https://lists.apache.org/thread/xjwb04c33oo387g5gjdx674bw7t9bhz2 > > > > > > This corresponds to the tag: apache-polaris-1.3.0-incubating-rc2 > > > * > > > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-1.3.0-incubating-rc2 > > > * > > > > > > > > > https://github.com/apache/polaris/tree/308134d6440f8167afd563a885187e238c21048a > > > > > > The release tarball, signature, and checksums are here: > > > * > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/1.3.0-incubating > > > > > > Helm charts are available on: > > > * > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/helm-chart/1.3.0-incubating/ > > > NB: you have to build the Docker images locally in order to test Helm > > > charts. > > > > > > You can find the KEYS file here: > > > * https://downloads.apache.org/incubator/polaris/KEYS > > > > > > Convenience binary artifacts are staged on Nexus. The Maven repository > > URL > > > is: > > > * > > https://repository.apache.org/content/repositories/orgapachepolaris-1046 > > > > > > Please download, verify and test. > > > > > > Please vote in the next 72 hours. > > > > > > [ ] +1 approve > > > [ ] +0 no opinion > > > [ ] -1 disapprove with the reason > > > > > > To learn more about apache Polaris, please see > > https://polaris.apache.org/ > > > > > > Thanks, > > > > > > -- > > > > > > Pierre > > > > > >
