db-jdo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jdo Wiki] Update of "KeysAtApache" by MichelleCaisse
Date Tue, 20 Nov 2007 02:01:30 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by MichelleCaisse:
http://wiki.apache.org/jdo/KeysAtApache

The comment on the change is:
almost there

------------------------------------------------------------------------------
  
  = Overview =
  When releasing software in an Apache project, the [http://wiki.apache.org/incubator/ReleaseManager
Release Manager] must sign the jars and other artifacts with a private pgp key.
- When artifacts are signed, users can verify that they are have been built by the signer
by using the signer's public key.
+ Using the signer's public key, users can verify that signed artifacts were built by the
signer.
  
  Software is available that creates pgp public/private key pairs, signs keys and other files,
encrypts data, and maintains keyrings (files of private and public keys). The instructions
below describe the use of [http://www.gnupg.org/(en)/index.html GnuPg]. See [#more More information]
for links to other key software.
  
- See the GnuPg FAQ [http://www.gnupg.org/(en)/documentation/faqs.html#q7.1 How does this
whole thing work?] for a brief overview of pgp keys.
+ See the !GnuPg FAQ [http://www.gnupg.org/(en)/documentation/faqs.html#q7.1 How does this
whole thing work?] for a brief overview of pgp keys.
  
  [[Anchor(process)]]
  = Creating a key and having it signed =
  
  Follow these steps to obtain a key and have it signed. Detailed instructions follow.
  
-  1. [http://www.gnupg.org/(en)/download/index.html Download] GnuPg for creating and signing
keys
+  1. [http://www.gnupg.org/(en)/download/index.html Download] GnuPg for creating and signing
keys.
-  1. [#create Create] your key. Note your key UID and fingerprint. You will need them later.
+  1. [#create Create] your key. Note your key fingerprint and ID (this is the last 8 digits
of the fingerprint). You will need them later.
-  1. Generate a revocation certificate.
+  1. Generate a [#revoke revocation certificate.]
+  1. [#upload Upload] your key to a public key server.
-  1. Sign your own key [Happens automatically with gpg, apparently.]
-  1. [#upload Upload] your key to the key server at http://pgp.mit.edu/
-  1. [#KEYS Publish] your key to the KEYS file
+  1. [#KEYS Publish] your key to the KEYS file.
   1. [#signers Contact] people to sign your key.
   1. [#sign_key Sign] other peoples' keys.
  
  [[Anchor(create)]]
  == Using gpg to create and sign keys ==
- % gpg --gen-key
+   {{{gpg --gen-key}}}
  In response to the prompts,
    * select DSA and ElGamal
    * select key size, typically 1024 for DSA and 2096 for ElGamal
@@ -38, +37 @@

  
  For more information, see [http://www.gnupg.org/gph/en/manual/c14.html Getting Started in
the GNU Privacy Manual].
  
+ [[Anchor(revoke)]]
+ == Generating a revocation certificate ==
+ 
+   {{{gpg --output revoke.asc --gen-revoke key_id}}}
+ 
+ The certificate in revoke.asc may be printed out and kept in a very safe place.
+ 
  [[Anchor(upload)]]
  == Uploading your public key ==
- The [http://pgpkeys.mit.edu MIT public key server] is commonly used and provides a web form
for uploading your key. [http://pgpkeys.mit.edu
+ The [http://pgpkeys.mit.edu MIT public key server] is commonly used and provides a web form
for uploading your key.
+ You may also use the following command to upload keys:
+    {{{gpg send-keys --keyserver pgp.mit.edu <key_id>}}}
  
  [[Anchor(KEYS)]]
  Publish the public half of your key to the KEYS file checked into your project's code repository
so that users can download it to verify the signatures later. To publish your key to the KEYS
file, export the public half of your key into a plain text file,
@@ -50, +58 @@

  
  [[Anchor(signers)]]
  == Finding people to sign your key ==
+ 
    * Individually
+ 
+ Anyone who knows you personally and has a key can sign your key. You need to provide them
with your key fingerprint and owner information, which you get by this command:
+ 
+    {{{gpg --armor --export KEY_ID > mykey.asc}}}
+ 
-   * [http://wiki.apache.org/apachecon/PgpKeySigning Apache key signing party]
+   * You can find lots of people to sign your key at an [http://wiki.apache.org/apachecon/PgpKeySigning
Apache key signing party]
+ 
+ Some people may email you your signed key rather than uploading it to a public server. If
so, just import it and [#upload upload] it yourself.
  
  [[Anchor(sign_key)]]
  == Signing a key ==
  
- 1. Import Jean's public key from pgp.mit.edu:
+  1. Import the person's public key from pgp.mit.edu:
  
-    {{{gpg --keyserver pgp.mit.edu --recv-keys 9958C626}}}
+    {{{gpg --keyserver pgp.mit.edu --recv-keys <key_id>}}}
+ 
+    or, if you have received a key file, import the keys from the file:
+ 
+    {{{gpg --import <key_file>}}}
  
   1. Verify the fingerprint -- does it exactly match the hardcopy from the Apache``Con key
signing?
  
-    {{{gpg --fingerprint jta@apache.org}}}
+    {{{gpg --fingerprint <owner_email}}}
  
-  1. Sign Jean's key:
+  1. Sign the key:
  
-    {{{gpg --sign-key 9958C626}}}
+    {{{gpg --sign-key <key_id>}}}
  
   1. Upload the signed key:
  
-    {{{gpg send-keys --keyserver pgp.mit.edu 9958C626}}}
+    {{{gpg send-keys --keyserver pgp.mit.edu <key_id>}}}
  
- Another "style" is to not upload the signed key, but to export it and email it to the signee
to upload (KEYID below is the id of the signer):
+    or, export it and email it to the signee to upload (KEYID below is the id of the signer):
  
- {{{gpg --armor --export jta.apache.org > 9958C626_signed_by_KEYID}}}
+    {{{gpg --armor --export <owner_email> > ownerkeyid_signed_by_keyid}}}
  
  [[Anchor(sign_release)]]
  = Signing a release with your key =

Mime
View raw message