db-jdo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jdo Wiki] Update of "KeysAtApache" by MichelleCaisse
Date Fri, 16 Nov 2007 18:10:19 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by MichelleCaisse:
http://wiki.apache.org/jdo/KeysAtApache

The comment on the change is:
Interim changes

------------------------------------------------------------------------------
  = Overview =
  To release software in an Apache project, you must sign the jars and other artifacts with
a pgp key.
  When the artifacts are signed, users can verify that they are have been built by the signer
and have not been tampered with.
- The instructions below describe the use of [http://www.gnupg.org/(en)/index.html GnuPg]
for creating and signing keys. See 
+ The instructions below describe the use of [http://www.gnupg.org/(en)/index.html GnuPg]
for creating and signing keys. See [#more More information] for links to other key software.
  
+ [[Anchor(process)]]
  = Getting a key and having it signed =
- 
- 
- == Uploading your public key ==
  
  Follow these steps to obtain a key and have it signed. Detailed instructions follow.
  
   1. [http://www.gnupg.org/(en)/download/index.html Download] GnuPg for creating and signing
keys
-  1. Create your key. Note your key UID and fingerprint. You will need them later.
+  1. [#create Create] your key. Note your key UID and fingerprint. You will need them later.
   1. Generate a revocation certificate.
   1. Sign your own key [Happens automatically with gpg, apparently.]
-  1. Upload your key to the key server at http://pgp.mit.edu/
+  1. [#upload Upload] your key to the key server at http://pgp.mit.edu/
-  1. Publish your key to the KEYS file
+  1. [#KEYS Publish] your key to the KEYS file
-  1. Get your key signed and sign other peoples' keys.
+  1. [#signers Contact] people to sign your key.
+  1. [#sign_key Sign] other peoples' keys.
  
+ [[Anchor(create)]]
  == Using gpg to create and sign keys ==
  % gpg --gen-key
  In response to the prompts,
@@ -35, +35 @@

  
  For more information, see [http://www.gnupg.org/gph/en/manual/c14.html Getting Started in
the GNU Privacy Manual].
  
+ [[Anchor(upload)]]
  == Uploading your public key ==
  
+ [[Anchor(KEYS)]]
  == Publishing your key to the KEYS file ==
  
+ [[Anchor(signers)]]
  == Finding people to sign your key ==
    * Individually
    * [http://wiki.apache.org/apachecon/PgpKeySigning Apache key-signing party]
  
+ [[Anchor(sign_key)]]
  == Signing a key ==
  
  1. Import Jean's public key from pgp.mit.edu:
@@ -65, +69 @@

  
  {{{gpg --armor --export jta.apache.org > 9958C626_signed_by_KEYID}}}
  
+ [[Anchor(sign_release)]]
  = Signing a release with your key =
  
     * Publish your key to the KEYS file
@@ -73, +78 @@

     * Add a checksum file to the dist directory (optional)
     * Point to instructions on how to verify signatures
  
+ [[Anchor(verify)]]
  = Verifying a signed release =
  
  Unless you verify the integrity of downloaded files using the PGP signature and/or the MD5
checksum, you cannot be sure of their authenticity. The checksum is not as strong an indicator
as the PGP signature is.
@@ -92, +98 @@

  
  It is best to verify the PGP signature, though.
  
+ [[Anchor(more)]]
  = More information =
+   * Documentation for GnuPG
- [http://www.gnupg.org/gph/en/manual.html The GNU Privacy Handbook]
+     * [http://www.gnupg.org/gph/en/manual.html The GNU Privacy Handbook]
+   * Other pgp software
+     * [http://www.pgpi.org/products/pgp/versions/freeware/ PGP 8.0 Freeware]
+     * [http://www.pgp.com/ PGP 8.0] (commercial)
  

Mime
View raw message