river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Barnaby <Frank.Barn...@Sun.COM>
Subject Re: "AR1" testing
Date Wed, 19 Dec 2007 01:22:57 GMT

On Dec 18, 2007, at 19:01, Craig L Russell wrote:
>>> 4. The release bundles need to be signed with a release-signing  
>>> GPG key. See http://wiki.apache.org/jdo/KeysAtApache
>> I've been working on this task. I had planned on using GNU Privacy  
>> Guard (GPG) to sign the bundles, but building GPG and its dependent  
>> libraries proved to be a problem on Solaris (libassuan in  
>> particular), so I'm considering jarsigner and keytool, which are  
>> included in the JDK and readily accessible to all.  Please let me  
>> know if there's any reason why I should avoid jarsigner or,  
>> alternatively, why I should strive to utilize GPG.
> The jarsigner is a different functionality from GPG signatures. If  
> I'm not mistaken, jarsigner allows you to sign jars, while GPG  
> allows you to sign binary files.

While jarsigner supposedly allows one to sign zip files as well as  
jars, I suppose we might need to sign other binary types at some point.

> The GPG tool really does need to be investigated and used to sign  
> Apache releases. GPG keys are cross-signed by other Apache release  
> managers and the keys are part of the Apache web of trust.

I was under the impression that GPG is only a recommendation and not a  
requirement.  I'm certainly not the expert here, so I'm eager to  
receive opinions from those with experience in this area.  I'll try  
again to GPG running on my end.

> Are you sure there isn't a binary of GPG available for Solaris?

I believe I've found one at http://www.sunfreeware.com, but I need to  
test it.  I'm also a bit hesitant to use GPG from an unknown origin.

Thanks for your comments, Craig.


> Craig
>> I plan to post a new set of release-candidate bundles tomorrow, so  
>> please post your comments as soon as possible.
>> Frank

View raw message