Mailing-List: contact jdo-commits-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: jdo-dev@db.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Apache Wiki <wikidiffs@apache.org>
To: jdo-commits@db.apache.org
Date: Thu, 15 Nov 2007 18:57:09 -0000
Message-ID: <20071115185709.27803.58291@eos.apache.org>
Subject: [Jdo Wiki] Update of "KeysAtApache" by MichelleCaisse

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jdo Wiki" for change notification.

The following page has been changed by MichelleCaisse:
http://wiki.apache.org/jdo/KeysAtApache

The comment on the change is:
Under construction!

New page:
'''Note: This page is under construction!!'''

'''Contents''' [[TableOfContents]]

= Overview =
To release software in an Apache project, you must sign the jars and other artifacts with a pgp key.
When the artifacts are signed, users can verify that they are have been built by the signer and have not been tampered with.

= Getting a key and having it signed =

These instructions assume that you will use gnu gpg software for creating and signing keys. Follow these steps to obtain a key and have it signed. 

 1. Download software for creating and signing keys
 1. Create your key. Note your key UID and fingerprint. You will need them later.
 1. Sign your own key
 1. Upload your key to the key server at http://pgp.mit.edu/
 1. Publish your key to the KEYS file
 1. Get your key signed and sign other peoples' keys.

== Using gpg to create and sign keys ==
    Create key type DSA size 1024 public.
    private elgamal 4096 encryption key.

== Uploading your public key ==

== Getting your key signed ==
  * Individually
  * [http://wiki.apache.org/apachecon/PgpKeySigning Apache key-signing party]

== Signing other people's keys ==

= Signing a release with your key =

   * Publish your key to the KEYS file
   * Sign the release to create a detached signature file
   * Post the release and its signature to the distribution directory
   * Add a checksum file to the dist directory (optional)
   * Point to instructions on how to verify signatures

= Verifying a signed release =

Unless you verify the integrity of downloaded files using the PGP signature and/or the MD5 checksum, you cannot be sure of their authenticity. The checksum is not as strong an indicator as the PGP signature is.

The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the asc signature file for the particular distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using

% pgpk -a KEYS
% pgpv release_name.tar.gz.asc
or
% pgp -ka KEYS
% pgp release_name.tar.gz.asc
or
% gpg --import KEYS
% gpg --verify release_name.tar.gz.asc

Alternatively, you can verify the checksums on the files. Unix programs called md5/sha1 or md5sum/sha1sum are included in many unix distributions. *sum is also available as part of GNU Textutils. Windows users can get binary md5 programs from http://www.fourmilab.ch/md5 and hhttp://www.pc-tools.net/win32/freeware/console. Windows SlavaSoft fsum supports MD5 and SHA1.

It is best to verify the PGP signature, though.