[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540574#comment-16540574 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201812727 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540569#comment-16540569 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201812213 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540560#comment-16540560 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201810673 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540559#comment-16540559 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201810221 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540545#comment-16540545 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201807293 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540537#comment-16540537 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201806357 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540430#comment-16540430 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201777645 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540432#comment-16540432 ] ASF GitHub Bot commented on NIFI-2112: -- Github user andrewmlim commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r20170 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16540346#comment-16540346 ] ASF GitHub Bot commented on NIFI-2112: -- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi-site/pull/27#discussion_r201761256 --- Diff: src/pages/markdown/gpg.md --- @@ -0,0 +1,524 @@ +--- +title: GPG (Gnu Privacy Guard / Open PGP) Signatures +--- + +# Apache NiFi Release Signatures and Code Signing + +The purpose of this document is to capture and describe the steps involved in generating and verifying cryptographic signatures of official releases of Apache NiFi, as well as configuring cryptographic signatures of individual code commits. It is written for contributors, committers, and users of Apache NiFi (and related applications). + +## Table of Contents + * [The Objective](#the-objective) + * [Background Material](#background-material) + * [Terms](#terms) + * [Variable Reference Substitutions](#variable-reference-substitutions) + * [Download GPG](#download-gpg) + * [Set up a GPG key](#set-up-a-gpg-key) + * [Sign your GPG key](#sign-your-gpg-key) + * [Publish your key](#publish-your-key) + * [Import another GPG key](#import-another-gpg-key) + * [Verify a key](#verify-a-key) + * [Sign an external key](#sign-an-external-key) + * [Web of trust](#web-of-trust) + * [Set up git with your key](#set-up-git-with-your-key) + * [Signing code](#signing-code) + * [Verifying a signature](#verifying-a-signature) + * [Set up GitHub with your key](#set-up-github-with-your-key) + * [Signing a release artifact](#signing-a-release-artifact) + * [Verifying a release signature](#verifying-a-release-signature) + +## The Objective + +Our aim is to instruct users on how to sign their commits, verify other's signatures, and do the same for official releases of Apache NiFi. + +## Background Material + + - These documents are helpful for general environmental setup to perform GPG signing and signature verification +- [Apache PGP Info][apache-pgp] +- [Apache Release Signing][apache-release-signing] +- [Git Ready: Signing Releases with GPG][git-sign-tag-instructs] +- [RFC 4880: IETF Standard Spec for OpenPGP][rfc-4880] +- [GitHub Blog: GPG Signature Verification][github-gpg-signing] +- [Git Ready: gpg-sign releases][git-sign-tag-instructs] +- [GitHub Help: Signing Commits Using GPG][github-help-gpg] +- [GitHub Help: Telling Git About Your GPG Key][git-config-gpg] +- [Git Docs: Git Tools Signing Your Work][git-gpg] +- [PGP Web of Trust][web-of-trust] + +## Terms + + * **Asymmetric Cryptography** - a type of cryptography which relies on *key pairs* -- a *public* and *private* key which are mathematically-related such that no other component key matches. This cryptography offers the following actions: **encrypt**, **decrypt**, **sign**, and **verify** + * **Cryptographic Signature** - a series of bytes which are the result of a signing operation such that only the possessor of a specific private key could have generated this signature. A valid signature indicates that the possessor of said key performed the operation (non-repudiable) + +## Variable Reference Substitutions + +Throughout this guide, references must be made to names and values that will vary from release to release. For clarity +those variable values have been written like Bash variable references. When a term like +"```/tmp/src/nifi-${NIFI_VERSION}```" is seen in an instruction or email template it should be replaced with +"```/tmp/src/nifi-1.7.0```" when working the release of "Apache NiFi 1.7.0". + + * Substitutions used in tasks and email templates + +ReferenceExample value Description +=== === +${BRANCH}master the development branch on which the release is based. +${NIFI_VERSION} 1.7.0 the version currently in development on the release branch. +${NEXT_VERSION} 1.8.0-SNAPSHOT the future version for development on the release branch. +${JIRA_TICKET} NIFI-2112 the JIRA ticket created by the release manager for the release tasks. +${RC}2 the Release Candidate index start at 1 for the first release candidate. +${RC_TAG_COMMIT_ID} the 40 byte commit ID of the RC tag created during the Maven release process. +${STAGING_REPO_ID} orgapachenifi-1088 the temporary repository ID where staged artifacts have been placed.
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15373535#comment-15373535 ] ASF subversion and git services commented on NIFI-2112: --- Commit c6b0941de6764c67ec8f7fbfecb5fd47b33b4db7 in nifi's branch refs/heads/0.x from [~JPercivall] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=c6b0941 ] NIFI-2112-rc2 prepare for next development iteration > Perform Release Management Functions for 0.7.0 > -- > > Key: NIFI-2112 > URL: https://issues.apache.org/jira/browse/NIFI-2112 > Project: Apache NiFi > Issue Type: Task >Reporter: Joseph Percivall >Assignee: Joseph Percivall > Labels: release > Fix For: 0.7.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15369235#comment-15369235 ] ASF subversion and git services commented on NIFI-2112: --- Commit c6b0941de6764c67ec8f7fbfecb5fd47b33b4db7 in nifi's branch refs/heads/NIFI-2112-rc2 from [~JPercivall] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=c6b0941 ] NIFI-2112-rc2 prepare for next development iteration > Perform Release Management Functions for 0.7.0 > -- > > Key: NIFI-2112 > URL: https://issues.apache.org/jira/browse/NIFI-2112 > Project: Apache NiFi > Issue Type: Task >Reporter: Joseph Percivall >Assignee: Joseph Percivall > Labels: release > Fix For: 0.7.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (NIFI-2112) Perform Release Management Functions for 0.7.0
[ https://issues.apache.org/jira/browse/NIFI-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15369234#comment-15369234 ] ASF subversion and git services commented on NIFI-2112: --- Commit f5629062c5e2a6c55fb62255aee74c4f25d93e7b in nifi's branch refs/heads/NIFI-2112-rc2 from [~JPercivall] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=f562906 ] NIFI-2112-rc2 prepare release nifi-0.7.0-RC2 > Perform Release Management Functions for 0.7.0 > -- > > Key: NIFI-2112 > URL: https://issues.apache.org/jira/browse/NIFI-2112 > Project: Apache NiFi > Issue Type: Task >Reporter: Joseph Percivall >Assignee: Joseph Percivall > Labels: release > Fix For: 0.7.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)