Hey everyone, I have a couple questions about verifying the tarballs I download for Zookeeper.
I don't see any listing of an official release manager identity and their pub key. Therefore, I don't know which key I should be getting to verify a signature against. Is there a list somewhere of the release manager identity. Ideally, I'd also be able to get the key from an Apache site protected by TLS (maybe even HTTPS). Am I just missing this info? If so, where is the info? Also, I don't see corresponding .asc signature files that can be used to verify the authenticity of the archives even if I did have a pub key. Are these located in some special location other than in the directories along side the released tarballs? Alternatively, is there a better way to retrieve crypto-secured releases than just downloading the release tarballs? Thanks, wt
