ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <ste...@apache.org>
Subject Re: pgp key for signing files
Date Mon, 05 Jun 2006 13:40:12 GMT
Antoine Levy-Lambert wrote:
> Hello Kev,
> I do not know *all* the available options.
> 
> What I did is that I downloaded Gnu PG (www.gnupg.org), installed it on my computer,
generated myself a key. The public part of the key you have to add at the end of a file called
KEYS which is in svn and lists the public keys of the ant committers.
> 
> How to publish your key to a key server I do not remember. I think I uploaded my public
key to a key server, but do not remember off hand how it is called.
> 
> You can use GPG to sign the ant binaries and also to sign (or to encrypt) emails. In
the release procedure, there are some emails which have to be signed too. Thunderbird has
a plugin (Enigmail) which can work with GPG.
> 

We can't sign the binaries themselves, as java suddenly changes into 
secure mode when that happens. but we can publish signatures of the 
checksums, and by signing the email announcement you can provide an 
authentication trail to the mirrors.

We also need to look at the release docs to see if it covers 
distribution to the maven repository.

-steve

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message