On 3/1/07, Eelco Hillenius <[EMAIL PROTECTED]> wrote:
...I haven't really got to the signing part and all yet; don't know how much work that is and how that all works...
See http://www.eu.apache.org/dev/release-signing.html - which is fairly detailed but signing files is quite easy once you have a PGP key: $ gpg --armor --output somefile.tar.gz.asc --detach-sign somefile.tar.gz generates a signature of somefile.tar.gz in somefile.tar.gz.asc, and $ gpg --verify somefile.tar.gz.asc somefile.tar.gz allows one to verify the signature. BTW, for those who will be at ApacheCon, it'd be good to attend the PGP key signing "party" (usually announced a few days in advance on the committers@ list) and have your key signed by others, it helps build the ASF's web of trust for releases. -Bertrand
