Hi Grant, > > We created new keys during the key-signing on ApacheCon and lot's of > > committers upgraded to 4096. Mine is new and 4096 bit and also > > simonw and > > rmuir got new ones (now appearing in KEYS file). > > > > Grant *replaced* his key in the KEYS file, but if Grant signed an > > older > > release on the Apache mirrors, it cannot be verified. > > > > My key should contain both my old one and my new one, so it should > still be all right. Also, the KEYS file is versioned, so someone can > just get the rev from back then. KEYS should be packaged in the > release, if they aren't already..
They are packaged with the release, but the last recent KEYS file also is on archive and this is a one-for-all KEYS file: http://archive.apache.org/dist/lucene/java/ So if somebody there downloads an old version, signed by you, he cannot verify with the provided KEYS file. If your new key contains the old one (e.g. because it was signed using the old one), it may still work. I wanted to test this, which releases on the long list did you sign, I do not want to check all of them? > > Should I revert the replacement and add the old and new pub key of > > Grant > > again before I publish the file? See also the code signing docs of > > Apache, > > there you find the hint "...keep all former keys available, even if > > you get > > new keys..." > > -1 I wanted to try out first on the Apache Archive. Uwe --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@lucene.apache.org For additional commands, e-mail: java-dev-h...@lucene.apache.org
