db-jdo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jdo Wiki] Update of "KeysAtApache" by CraigRussell
Date Tue, 20 Nov 2007 19:08:05 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by CraigRussell:
http://wiki.apache.org/jdo/KeysAtApache

The comment on the change is:
pretty close

------------------------------------------------------------------------------
  When releasing software in an Apache project, the [http://wiki.apache.org/incubator/ReleaseManager
Release Manager] must sign the jars and other artifacts with a private pgp key.
  Using the signer's public key, users can verify that signed artifacts were built by the
signer.
  
- Software is available that creates pgp public/private key pairs, signs keys and other files,
encrypts data, and maintains keyrings (files of private and public keys). The instructions
below describe the use of [http://www.gnupg.org/(en)/index.html GnuPg]. See [#more More information]
for links to other key software.
+ Software is available that creates pgp public/private key pairs, signs keys and other files,
encrypts data, and maintains key rings (files of private and public keys). The instructions
below describe the use of [http://www.gnupg.org/(en)/index.html GnuPg]. See [#more More information]
for links to other key software.
  
  See the !GnuPg FAQ [http://www.gnupg.org/(en)/documentation/faqs.html#q7.1 How does this
whole thing work?] for a brief overview of pgp keys.
  
@@ -17, +17 @@

  
  Follow these steps to obtain a key and have it signed. Detailed instructions follow.
  
-  1. [http://www.gnupg.org/(en)/download/index.html Download] GnuPg for creating and signing
keys.
+  1. [http://www.gnupg.org/(en)/download/index.html Download] !GnuPg for creating and signing
keys.
   1. [#create Create] your key. Note your key fingerprint and ID (this is the last 8 digits
of the fingerprint). You will need them later.
   1. Generate a [#revoke revocation certificate.]
   1. [#upload Upload] your key to a public key server.
   1. [#KEYS Publish] your key to the KEYS file.
   1. [#signers Contact] people to sign your key.
-  1. [#sign_key Sign] other peoples' keys.
+  1. [#sign_key Sign] other people's keys.
  
  [[Anchor(create)]]
  == Using gpg to create and sign keys ==
    {{{gpg --gen-key}}}
  In response to the prompts,
-   * select DSA and ElGamal
+   * select [http://en.wikipedia.org/wiki/Digital_Signature_Algorithm DSA] and [http://en.wikipedia.org/wiki/ElGamal_encryption
ElGamal]
-   * select key size, typically 1024 for DSA and 2096 for ElGamal
+   * select key size, typically 1024 for DSA and 2048 or 4096 for !ElGamal (the more bits
the more secure)
    * select expiration date, typically 0 = key does not expire
    * provide a user ID (your name, a comment, and your email address)
    * enter a passphrase (should be long and it is important not to forget it)
@@ -51, +51 @@

     {{{gpg --send-keys --keyserver pgp.mit.edu <key_id>}}}
  
  [[Anchor(KEYS)]]
- Publish the public half of your key to the KEYS file checked into your project's code repository
so that users can download it to verify the signatures later. To publish your key to the KEYS
file, export the public half of your key into a plain text file,
+ Publish the public half of your key to the KEYS file checked into your project's code repository
so that users can download it to verify the signatures later. To publish your key to the KEYS
file, export the public half of your key into a plain text file, and then just copy and paste
it into the KEYS file.
- and then just copy and paste it into the KEYS file.
- You can optionally add a line above your key with your name on it.
+ You can optionally add lines above your key with your names on them.
  Be sure to check in the KEYS file before uploading the release.
  
  [[Anchor(signers)]]
@@ -92, +91 @@

  
     {{{gpg --send-keys --keyserver pgp.mit.edu <key_id>}}}
  
-    or, export it and email it to the signee to upload (KEYID below is the id of the signer):
+    or, export it and email it to the owner to upload (KEYID below is the id of the signer):
  
     {{{gpg --armor --export <owner_email> > ownerkeyid_signed_by_keyid}}}
  
@@ -110, +109 @@

  
  Unless you verify the integrity of downloaded files using the PGP signature and/or the MD5
checksum, you cannot be sure of their authenticity. The checksum is not as strong an indicator
as the PGP signature is.
  
- The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as
the asc signature file for the particular distribution. Make sure you get these files from
the main distribution directory, rather than from a mirror. Then verify the signatures using
+ The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as
the .asc signature file for the particular distribution. Make sure you get the KEYS and signatures
from the main distribution directory, rather than from a mirror. Then verify the signatures
using
  
  {{{gpg --import KEYS}}}
  {{{gpg --verify release_name.tar.gz.asc}}}
  
- Alternatively, you can verify the checksums on the files. Unix programs called md5/sha1
or md5sum/sha1sum are included in many unix distributions. *sum is also available as part
of GNU Textutils. Windows users can get binary md5 programs from http://www.fourmilab.ch/md5
and hhttp://www.pc-tools.net/win32/freeware/console. Windows SlavaSoft fsum supports MD5 and
SHA1.
+ You can also verify the checksums on the files. Unix programs called md5/sha1 or md5sum/sha1sum
are included in many unix distributions. *sum is also available as part of GNU Textutils.
Windows users can get binary md5 programs from http://www.fourmilab.ch/md5 and hhttp://www.pc-tools.net/win32/freeware/console.
Windows !SlavaSoft fsum supports MD5 and SHA1.
  
- It is best to verify the PGP signature, though.
+ It is best to verify the PGP signature, though. The signature verifies both the integrity
of the file and the identity of the person who published the release.
  
  [[Anchor(more)]]
  = More information =
-   * Documentation for GnuPG
+   * Documentation for !GnuPG
      * [http://www.gnupg.org/gph/en/manual.html The GNU Privacy Handbook]
    * Other pgp software
      * [http://www.pgpi.org/products/pgp/versions/freeware/ PGP 8.0 Freeware]

Mime
View raw message