db-jdo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jdo Wiki] Update of "KeysAtApache" by MichelleCaisse
Date Thu, 15 Nov 2007 18:57:09 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by MichelleCaisse:

The comment on the change is:
Under construction!

New page:
'''Note: This page is under construction!!'''

'''Contents''' [[TableOfContents]]

= Overview =
To release software in an Apache project, you must sign the jars and other artifacts with
a pgp key.
When the artifacts are signed, users can verify that they are have been built by the signer
and have not been tampered with.

= Getting a key and having it signed =

These instructions assume that you will use gnu gpg software for creating and signing keys.
Follow these steps to obtain a key and have it signed. 

 1. Download software for creating and signing keys
 1. Create your key. Note your key UID and fingerprint. You will need them later.
 1. Sign your own key
 1. Upload your key to the key server at http://pgp.mit.edu/
 1. Publish your key to the KEYS file
 1. Get your key signed and sign other peoples' keys.

== Using gpg to create and sign keys ==
    Create key type DSA size 1024 public.
    private elgamal 4096 encryption key.

== Uploading your public key ==

== Getting your key signed ==
  * Individually
  * [http://wiki.apache.org/apachecon/PgpKeySigning Apache key-signing party]

== Signing other people's keys ==

= Signing a release with your key =

   * Publish your key to the KEYS file
   * Sign the release to create a detached signature file
   * Post the release and its signature to the distribution directory
   * Add a checksum file to the dist directory (optional)
   * Point to instructions on how to verify signatures

= Verifying a signed release =

Unless you verify the integrity of downloaded files using the PGP signature and/or the MD5
checksum, you cannot be sure of their authenticity. The checksum is not as strong an indicator
as the PGP signature is.

The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the
asc signature file for the particular distribution. Make sure you get these files from the
main distribution directory, rather than from a mirror. Then verify the signatures using

% pgpk -a KEYS
% pgpv release_name.tar.gz.asc
% pgp -ka KEYS
% pgp release_name.tar.gz.asc
% gpg --import KEYS
% gpg --verify release_name.tar.gz.asc

Alternatively, you can verify the checksums on the files. Unix programs called md5/sha1 or
md5sum/sha1sum are included in many unix distributions. *sum is also available as part of
GNU Textutils. Windows users can get binary md5 programs from http://www.fourmilab.ch/md5
and hhttp://www.pc-tools.net/win32/freeware/console. Windows SlavaSoft fsum supports MD5 and

It is best to verify the PGP signature, though.

View raw message