Off-hand, I can't imagine how your public key is useful to a code-signing plug-in.
I can confirm that the instructions for import of the KEYS certificates into GPG do work. My understanding is that KEYS is useful for someone who wants to verify the signatures on releases. In general, it is preferable for the public keys (or at least the fingerprint) to be obtained from an independent, secure location that is uniquelly associated with the committer whose PGP public key is sought. The files at <https://people.apache.org/keys/committer/> qualify, since the retrieved public keys are based on a fingerprint that requires access to your Apache Committer account to establish. The keys folder is kept secure by ASF Infrastructure. Synchronization with public key servers is automated. Also, there is a file <https://people.apache.org/keys/group/> that has all public keys for an individual project (e.g., office.asc for all committers of Apache OpenOffice that have committer keys). - Dennis PS: It is not clear to me how the signatures are ever made available in conjunction with the distributed binaries and source tarballs. They may be more for internal reviews and assurance of release-candidate integrity. I notice that the download of Apache OpenOffice 3.4.1 has two hashes and an ASC digital signature file, but there is no indication of whose public key is needed in order to verify the signature [;<). The external signature themselves are served from, e.g., <http://www.apache.org/dist/incubator/ooo/files/stable/3.4.1/>, even when the various .tar.gz, .dmg, and .exe files are served from mirror sites. Note that the instructions (e.g., <http://www.openoffice.org/download/checksums/3.4.1_checksums.html#howto>) instruct obtaining the complete set of committer keys in office.asc and then checking the separately-provided external signature with the separately-provided download. It appears that, beside the ceremonial satisfaction of creating these signatures, the threat model and usability with respect to delivery to end-users needs to be revisited. -----Original Message----- From: Florian Hopf [mailto:[email protected]] Sent: Monday, April 29, 2013 01:08 To: [email protected] Subject: Re: KEYS Hi, On 26.04.2013 18:34, Dennis E. Hamilton wrote: > I'm not sure why this is on odf/trunk. It may work better to only have your > Apache IDs and the PGP fingerprints in KEYS. I expected that this is in some way to be needed by the code signing plugin but I didn't really check. > > Either way, it is valuable for you to provide your public keys at > <https://people.apache.org/keys/committer/>. Do this by logging onto > <https://id.apache.org/> and providing your key information. (You can have > multiple keys there.) > > The keys associated with your Apache account are automatically updated from > PGP public-key services. These are the ones that will have current > counter-signatures and for which revocation/expiration is presumably noticed. Thanks for the hint, I will update my information. Regards Florian > > > - Dennis > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, April 26, 2013 04:38 > To: [email protected] > Subject: svn commit: r1476146 - /incubator/odf/trunk/KEYS > > Author: fhopf > Date: Fri Apr 26 11:37:38 2013 > New Revision: 1476146 > > URL: http://svn.apache.org/r1476146 > Log: > added code signing key to KEYS > > Modified: > incubator/odf/trunk/KEYS > > Modified: incubator/odf/trunk/KEYS > URL: > http://svn.apache.org/viewvc/incubator/odf/trunk/KEYS?rev=1476146&r1=1476145&r2=1476146&view=diff > [ ... ] > > > -- Florian Hopf Freelance Software Developer http://blog.florian-hopf.de
