db-jdo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jdo Wiki] Update of "KeysAtApache" by MichelleCaisse
Date Mon, 26 Nov 2007 22:01:36 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by MichelleCaisse:
http://wiki.apache.org/jdo/KeysAtApache

------------------------------------------------------------------------------
  
  [[Anchor(create)]]
  == Using gpg to create a key ==
+ 
+ Always use a private, secure machine to create your key, because that is where your private
key is. Never use a machine in the Apache infrastructure and never store your private key
on such a machine.
+ 
    {{{gpg --gen-key}}}
  In response to the prompts,
    * select [http://en.wikipedia.org/wiki/Digital_Signature_Algorithm DSA] and [http://en.wikipedia.org/wiki/ElGamal_encryption
ElGamal]
@@ -43, +46 @@

  
    {{{gpg --output revoke.asc --gen-revoke key_id}}}
  
- The certificate in revoke.asc may be printed out and kept in a very safe place.
+ The certificate in revoke.asc may be printed out and kept in a very safe place. You can
use it to revoke a key even if you have lost your key or pass phrase.
  
  [[Anchor(upload)]]
  == Uploading your public key ==
@@ -56, +59 @@

  You can optionally add lines above your key with your names on them.
  Be sure to check in the KEYS file before uploading the release.
  
+ Note that it is not really clear what this file is to be used for at Apache. See http://people.apache.org/~henkp/trust/
.
+ 
  [[Anchor(signers)]]
  == Finding people to sign your key ==
+ A key without signatures has no value; it could belong to anyone. One signature is better
than none, but more is better and it is best to have some signatures within the Apache web
of trust. You should also sign other people's keys.
  
    * Individually
  
  Anyone who knows you personally and has a key can sign your key. You need to provide them
with your key fingerprint and owner information, which you get by this command:
  
     {{{gpg --fingerprint KEY_ID}}}
+ 
+ You can use [http://www.biglumber.com/ Biglumber] to find people to exchange signatures
with.
  
    * You can find lots of people to sign your key at an [http://wiki.apache.org/apachecon/PgpKeySigning
Apache key signing party]
  
@@ -109, +117 @@

     * Add a checksum file to the dist directory (optional)
     * Point to instructions on how to verify signatures
  
+ See http://www.apache.org/dev/release-signing.html for more information.
+ 
  [[Anchor(verify)]]
  = Verifying a signed release =
  
@@ -120, +130 @@

  
  {{{gpg --verify release_name.tar.gz.asc}}}
  
- You can also verify the checksums on the files. Unix programs called md5/sha1 or md5sum/sha1sum
are included in many unix distributions. *sum is also available as part of GNU Textutils.
Windows users can get binary md5 programs from http://www.fourmilab.ch/md5 and hhttp://www.pc-tools.net/win32/freeware/console.
Windows !SlavaSoft fsum supports MD5 and SHA1.
+ You can also verify the checksums on the files. Unix programs called md5/sha1 or md5sum/sha1sum
are included in many unix distributions. *sum is also available as part of GNU Textutils.
Windows users can get binary md5 programs from http://www.fourmilab.ch/md5 and hhttp://www.pc-tools.net/win32/freeware/console.
Windows !SlavaSoft fsum supports MD5 and SHA1. You can also use this web form at http://people.apache.org/~henkp/cgi-bin/md5.cgi
to verify a checksum
- 
  It is best to verify the PGP signature, though. The signature verifies both the integrity
of the file and the identity of the person who published the release.
  
  [[Anchor(more)]]
@@ -132, +141 @@

      * [http://www.pgpi.org/products/pgp/versions/freeware/ PGP 8.0 Freeware]
      * [http://www.pgp.com/ PGP 8.0] (commercial)
    * List and web map of [http://people.apache.org/~henkp/trust/apache.html Apache committers'
keys]
+   * The Apache [http://www.apache.org/dev/release-signing.html release signing policy.]
  
+   * A [http://pgp.cs.uu.nl/ cool tool] for viewing trust paths
+ 

Mime
View raw message