We created new keys during the key-signing on ApacheCon and lot's of committers upgraded to 4096. Mine is new and 4096 bit and also simonw and rmuir got new ones (now appearing in KEYS file).
Grant *replaced* his key in the KEYS file, but if Grant signed an older release on the Apache mirrors, it cannot be verified. Should I revert the replacement and add the old and new pub key of Grant again before I publish the file? See also the code signing docs of Apache, there you find the hint "...keep all former keys available, even if you get new keys..." Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org
