lucenenet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: [Lucene.Net] Re: Signing Binary Releases
Date Tue, 22 Feb 2011 05:38:31 GMT
On 2011-02-21, Troy Howard wrote:

> Stefan - You indicated that the Apache signing process is
> straightforward and simple, but the documentation is kind of all over
> the place.

I've never read any of it ;-)

> It discusses so many edge cases and different methods for doing this
> that it's hard to know what the correct one is.  I might be missing
> something. Do you mind breaking it down for me in a very simple step
> by step manner?

I'll try but skip over the details since they ultimately depend on the
OpenPGP implementation you use.  The only implementations I have ever
used were a self-compiled PGP 2.6.x more than ten years ago and several
versions of GnuPG, all of them running on Linux - and I've never used
any GUI of any kind.

If anything I write below is unclear, please ask and I'll try to figure
out the correct answer.  Maybe even by reading the ASF documentation.

First of all you need an OpenPGP implementation.  I use GnuPG, you might
prefer something graphical.

Then you need a key pair.  This should be straight forward to create
with your OpenPGP implementation.  It may be best to pick the defaults
offered as algorithms and the longest key length your implementation
offers.

In retrospect it may have been a good idea if I had created my key in a
way that it expired after ten years since the key length of my key will
no longer be sufficient in a few years (if it still is today).  But then
again I can simply create a new one and stop using the old one at one
point in time.

The next step is to publish the key.  There are key servers and
publishing you key there is a command line option in GnuPG.  Most of the
key servers have a web frontend where you can simply add your ASCII
armored exported key as well.  For example <http://pgpkeys.mit.edu/>.
The key servers automatically propagate keys from one server to the
others so it is sufficient to publish to a single server.

You should also create a file called KEYS and add it to Lucene.NET's svn
area so all developers can add their keys to it.  This one will later be
published in http://www.apache.org/dist/ as the authoritative source.
For an example that also explains how to create the file see
<http://svn.apache.org/repos/asf/ant/antlibs/common/trunk/KEYS>

The most difficult part is getting your key signed by others.  There is
no general rule.  You must try to find people who are willing to sign
your key.  Most people will only do so if you meet F2F so try to contact
ASF people living close to you.  All bigger ASF events have key signing
parties just for this purpose.

If your key isn't signed by anybody else you can certainly still sign
the releases with it - users are just less likely to have chain of trust
leading to your key.  In reality they likely won't have one anyway.

Finally you create the distribution artifact the way you always did.
Once done you create a detached signature for each of the distribution
artifacts.  I.e. if you have foo-1.0-src.zip you sign it which creates
foo-1.0-src.zip.asc.  You publish both of them side by side.  That is
really all that needs to be done.

On the download page the link to foo-1.0-src.zip will point to the ASF
mirror system while the one to foo-1.0-src.zip.asc will always point to
www.apache.org.

Stefan

Mime
View raw message