[
https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540432#comment-16540432
]
ASF GitHub Bot commented on NIFI-2112:
--------------------------------------
Github user andrewmlim commented on a diff in the pull request:
https://github.com/apache/nifi-site/pull/27#discussion_r201777770
--- Diff: src/pages/markdown/gpg.md ---
@@ -0,0 +1,524 @@
+---
+title: GPG (Gnu Privacy Guard / Open PGP) Signatures
+---
+
+# Apache NiFi Release Signatures and Code Signing
+
+The purpose of this document is to capture and describe the steps involved
in generating and verifying cryptographic signatures of official releases of
Apache NiFi, as well as configuring cryptographic signatures of individual code
commits. It is written for contributors, committers, and users of Apache NiFi
(and related applications).
+
+## <a name="table-of-contents">Table of Contents</a>
+ * [The Objective](#the-objective)
+ * [Background Material](#background-material)
+ * [Terms](#terms)
+ * [Variable Reference Substitutions](#variable-reference-substitutions)
+ * [Download GPG](#download-gpg)
+ * [Set up a GPG key](#set-up-a-gpg-key)
+ * [Sign your GPG key](#sign-your-gpg-key)
+ * [Publish your key](#publish-your-key)
+ * [Import another GPG key](#import-another-gpg-key)
+ * [Verify a key](#verify-a-key)
+ * [Sign an external key](#sign-an-external-key)
+ * [Web of trust](#web-of-trust)
+ * [Set up git with your key](#set-up-git-with-your-key)
+ * [Signing code](#signing-code)
+ * [Verifying a signature](#verifying-a-signature)
+ * [Set up GitHub with your key](#set-up-github-with-your-key)
+ * [Signing a release artifact](#signing-a-release-artifact)
+ * [Verifying a release signature](#verifying-a-release-signature)
+
+## <a name="the-objective">The Objective</a>
+
+Our aim is to instruct users on how to sign their commits, verify other's
signatures, and do the same for official releases of Apache NiFi.
+
+## <a name="background-material">Background Material</a>
+
+ - These documents are helpful for general environmental setup to perform
GPG signing and signature verification
+ - [Apache PGP Info][apache-pgp]
+ - [Apache Release Signing][apache-release-signing]
+ - [Git Ready: Signing Releases with GPG][git-sign-tag-instructs]
+ - [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880]
+ - [GitHub Blog: GPG Signature Verification][github-gpg-signing]
+ - [Git Ready: gpg-sign releases][git-sign-tag-instructs]
+ - [GitHub Help: Signing Commits Using GPG][github-help-gpg]
+ - [GitHub Help: Telling Git About Your GPG Key][git-config-gpg]
+ - [Git Docs: Git Tools Signing Your Work][git-gpg]
+ - [PGP Web of Trust][web-of-trust]
+
+## <a name="terms">Terms</a>
+
+ * **Asymmetric Cryptography** - a type of cryptography which relies on
*key pairs* -- a *public* and *private* key which are mathematically-related
such that no other component key matches. This cryptography offers the
following actions: **encrypt**, **decrypt**, **sign**, and **verify**
+ * **Cryptographic Signature** - a series of bytes which are the result of
a signing operation such that only the possessor of a specific private key
could have generated this signature. A valid signature indicates that the
possessor of said key performed the operation (non-repudiable)
+
+## <a name="variable-reference-substitutions">Variable Reference
Substitutions</a>
+
+Throughout this guide, references must be made to names and values that
will vary from release to release. For clarity
+those variable values have been written like Bash variable references.
When a term like
+"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email
template it should be replaced with
+"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi
1.7.0".
+
+ * Substitutions used in tasks and email templates
+ <pre>
+ Reference Example value Description
+ ========= ============== ===========
+ ${BRANCH} master the development branch on
which the release is based.
+ ${NIFI_VERSION} 1.7.0 the version currently in
development on the release branch.
+ ${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for
development on the release branch.
+ ${JIRA_TICKET} NIFI-2112 the JIRA ticket created by
the release manager for the release tasks.
+ ${RC} 2 the Release Candidate index
start at 1 for the first release candidate.
+ ${RC_TAG_COMMIT_ID} the 40 byte commit ID of the
RC tag created during the Maven release process.
+ ${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID
where staged artifacts have been placed.
+ ${RM_USERID} johndoe the Apache account ID of
Release Manager.
+ ${RELEASE_TAG} rel/nifi-1.7.0 the Git repository tag for
the source code as released.
+ ${VOTE_THREAD_URL} [1.7.0 vote thread][070-rc2-vote] the URL for
the Apache Pony Mail archive of the release vote thread.
+ </pre>
+
+ _To be practical but avoid confusion with future release details,
these example values reflect the previous release
+NiFi 1.7.0 RC2 release details._
+
+NOTE: The next version should be the next minor version if the release is
based on a major version development branch (e.g master
+or 0.x). The next version should be the next incremental version if the
release is based on a minor version development branch (e.g
+support/nifi-1.1.x or support/nifi-0.7.4). If this is the first
incremental release (e.g. 1.2.1) for a minor release line the support
+branch may need to be created.
+
+## <a name="download-gpg">Download GPG</a>
+
+To get started, you should download the appropriate software for your
operating system (links and version compatibility as of July 10, 2018). Follow
the configuration instructions that come with your tool of choice:
+
+### Mac OS X / macOS
+
+* [GPG Suite][gpg-suite] -- macOS 10.9+ -- a GUI-based suite of GPG tools
including command-line tool, Mail client integration, etc.
+* gpg via brew -- distribution of [GnuPG][gnupg] command-line tool via
[brew][brew]. Install via `brew update && brew install gpg2`. You may also need
`gpg-agent` depending on your system.
+
+### Linux
+* Redhat/CentOS -- `yum install gnupg`
+* Debian/Ubuntu -- `apt-get install gnupg`
+
+### Windows
+* [Gpg4win][gpg4win] -- Windows 7+ -- a GUI-based suite of GPG tools
+
+## <a name="setting-up-your-key">Setting up your key</a>
+
+*All following commands will use the command-line syntax to perform these
operations unless otherwise noted. For instructions on performing these
operations in a GUI-environment, refer to the resources listed above.*
+
+To begin, run the `gpg` command with the `--gen-key` or
`--full-generate-key` flag. You will be prompted for various information, and
can accept the defaults other than **name** and **email**. The tool will prompt
for a passphrase, and the key pair will be identified by the **user id**
(**name** + **email**) and a **key fingerprint**.
+
+Example:
+
+```
+# Generate the key
+🔓 0s @ 15:06:19 $ gpg --gen-key
+Note: Use "gpg --full-generate-key" for a full featured key generation
dialog.
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: NiFi Test User
+Email address: [email protected]
+You selected this USER-ID:
+ "NiFi Test User <[email protected]>"
+
+Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+gpg: key 71456940555DB64A marked as ultimately trusted
+gpg: revocation certificate stored as
'/Users/alopresto/.gnupg/openpgp-revocs.d/718FAE8D4F81CDED06EA652271456940555DB64A.rev'
+public and secret key created and signed.
+
+pub rsa2048 2018-07-10 [SC] [expires: 2020-07-09]
+ 718FAE8D4F81CDED06EA652271456940555DB64A
+uid NiFi Test User <[email protected]>
+sub rsa2048 2018-07-10 [E] [expires: 2020-07-09]
+
+# List all keys in the key ring
+🔓 38s @ 15:07:11 $ gpg -k
+gpg: checking the trustdb
+gpg: marginals needed: 3 completes needed: 1 trust model: pgp
+gpg: depth: 0 valid: 6 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 6u
+gpg: depth: 1 valid: 4 signed: 10 trust: 3-, 0q, 0n, 0m, 1f, 0u
+gpg: depth: 2 valid: 10 signed: 1 trust: 8-, 0q, 0n, 0m, 2f, 0u
+gpg: next trustdb check due at 2018-08-19
+/Users/alopresto/.gnupg/pubring.gpg
+-----------------------------------
+pub dsa2048 2010-08-19 [SC] [expires: 2018-08-19]
+ 85E38F69046B44C1EC9FB07B76D78F0500D026C4
+uid [ultimate] GPGTools Team <[email protected]>
+uid [ultimate] GPGMail Project Team (Official OpenPGP Key)
<[email protected]>
+uid [ultimate] GPGTools Project Team (Official OpenPGP Key)
<[email protected]>
+uid [ultimate] [jpeg image of size 5871]
+sub elg2048 2010-08-19 [E] [expires: 2018-08-19]
+sub rsa4096 2014-04-08 [S] [expires: 2024-01-02]
+
+...
+
+pub rsa2048 2018-07-10 [SC] [expires: 2020-07-09]
+ 718FAE8D4F81CDED06EA652271456940555DB64A
+uid [ultimate] NiFi Test User <[email protected]>
+sub rsa2048 2018-07-10 [E] [expires: 2020-07-09]
+
+# List a specific key with (formatted) fingerprint
+🔓 0s @ 15:11:37 $ gpg --fingerprint 0x555DB64A
+pub rsa2048 2018-07-10 [SC] [expires: 2020-07-09]
+ 718F AE8D 4F81 CDED 06EA 6522 7145 6940 555D B64A
+uid [ultimate] NiFi Test User <[email protected]>
+sub rsa2048 2018-07-10 [E] [expires: 2020-07-09]
+
+```
+
+You now have a key generated for your identity. Some Apache users will
include "(CODE SIGNING KEY)" after their name to separate this key from other
keys they use. This is optional. By default, keys use 2048 bit length. You can
increase this to 4096 bits by using the `--full-generate-key` or
`--default-new-key-algo rsa4096` flags when generating.
+
+The **key fingerprint** can be referred to by the last 8 hex digits
(**short ID**) or last 16 hex digits (**long ID**), so for the remainder of
this guide, our example key will have the **long ID** `7145 6940 555D B64A`
(spaces optional) and **short ID** `555D B64A`, which we can reference in
commands as `0x555DB64A`.
+
+### Trust vs. Validity
+
+It is important to understand the difference between two closely related
concepts -- **ownertrust** and **validity**. Validity is how much *you* trust a
*key*; that is *how well you have verified the key represents who it claims*.
Ownertrust is how much transitive trust you give to that entity; how well do
you believe *Person X* verifies keys that *they* sign?
+
+There are four levels of **ownertrust** and five levels of **validity**.
+
+**Trust**
--- End diff --
Change to Overtrust?
> Perform Release Management Functions for 0.7.0
> ----------------------------------------------
>
> Key: NIFI-2112
> URL: https://issues.apache.org/jira/browse/NIFI-2112
> Project: Apache NiFi
> Issue Type: Task
> Reporter: Joseph Percivall
> Assignee: Joseph Percivall
> Priority: Major
> Labels: release
> Fix For: 0.7.0
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
