quickstep-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Spehlmann <spehl.apa...@gmail.com>
Subject Re: Release Signing
Date Thu, 02 Feb 2017 01:47:58 GMT
Oh that was one thing I was confused about was the number of signers
needed. I took it that all the release managers need to sign, and that
there are several release managers.

Each manager would need to their private key to the signing process,
something which could only be done by passing the tarball around to
people's private laptop. Obviously, that's not efficient.

It sounds like only one release manager needs to sign it then?

On Tue, Jan 31, 2017 at 6:14 PM, Julian Hyde <jhyde@apache.org> wrote:

> It does say so in the instructions, but I’ll reiterate: be sure to use
> your apache.org <http://apache.org/> email address for your key. People
> get spooked if they get a release that is not signed by someone who is not
> obviously an Apache committer.
>
> Generally the release manager will either build the release on their own
> machine or download a build to their machine. Then they will sign it on
> their machine (where their private key is present). Lastly they will upload
> it (which happens by means of a “svn commit”).
>
> At the same time they will make sure that their key is in KEYS, and if not
> they will edit KEYS and do another “svn commit”.
>
> Julian
>
>
>
>
> > On Jan 31, 2017, at 3:35 PM, Marc Spehlmann <spehl.apache@gmail.com>
> wrote:
> >
> > One of the steps that must take place before releasing a release tarball
> is
> > to have the release managers digitally sign the tarball.
> >
> > Hakan, Jignesh, Harshad I think you all are the release managers. Please
> > follow this guide
> >
> > http://quickstep.apache.org/release-signing/
> >
> > to
> > 1) create a key pair
> > 2) upload the public key to a public keyserver
> > 3) (bonus for now) add the public key to a KEYS file in the root of
> > quickstep.
> >
> > When the release tarball is ready, we can sign it.
> >
> > To be fair, I'm not totally sure how this works because it seems to me
> that
> > everyone has to sign the release with their private key, meaning that it
> > must be uploaded to each PC where the private key is held, then signed?
> > That seems cumbersome.
> >
> > Anyways, steps 1,2 are straightforward and need to be done before we
> > resolve that last problem.
> >
> > Cheers,
> > Marc
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message