On Dec 18, 2007, at 19:01, Craig L Russell wrote:
4. The release bundles need to be signed with a release-signing
GPG key. See http://wiki.apache.org/jdo/KeysAtApache
I've been working on this task. I had planned on using GNU Privacy
Guard (GPG) to sign the bundles, but building GPG and its dependent
libraries proved to be a problem on Solaris (libassuan in
particular), so I'm considering jarsigner and keytool, which are
included in the JDK and readily accessible to all. Please let me
know if there's any reason why I should avoid jarsigner or,
alternatively, why I should strive to utilize GPG.
The jarsigner is a different functionality from GPG signatures. If
I'm not mistaken, jarsigner allows you to sign jars, while GPG
allows you to sign binary files.
While jarsigner supposedly allows one to sign zip files as well as
jars, I suppose we might need to sign other binary types at some point.
The GPG tool really does need to be investigated and used to sign
Apache releases. GPG keys are cross-signed by other Apache release
managers and the keys are part of the Apache web of trust.
I was under the impression that GPG is only a recommendation and not a
requirement. I'm certainly not the expert here, so I'm eager to
receive opinions from those with experience in this area. I'll try
again to GPG running on my end.
Are you sure there isn't a binary of GPG available for Solaris?
I believe I've found one at http://www.sunfreeware.com, but I need to
test it. I'm also a bit hesitant to use GPG from an unknown origin.
Thanks for your comments, Craig.
Frank
Craig
I plan to post a new set of release-candidate bundles tomorrow, so
please post your comments as soon as possible.
Frank
