Hi Gary, On 2.11.2025 13:11, [email protected] wrote: > +pub ed25519 2025-10-27 [SC] > + F4DD59C90148BDC52BEB90A4530AA5F25C25011F > +uid [ultimate] Gary Gregory <[email protected]> > +sig 3 530AA5F25C25011F 2025-11-02 [self-signature] > +uid [ultimate] Gary D. Gregory <[email protected]> > +sig 3 530AA5F25C25011F 2025-11-02 [self-signature] > +uid [ultimate] Gary Gregory <[email protected]> > +sig 3 530AA5F25C25011F 2025-10-27 [self-signature] > +sub cv25519 2025-10-27 [E] > +sig 530AA5F25C25011F 2025-10-27 [self-signature]
Do we have a formal procedure for key rotations? Since your key is effectively the authoritative one for Commons, I’d expect at least the following steps: - Signing the new key with your old key (86fdc7e2a11262cb), - Uploading the new key to a public keyserver (I couldn’t find it on keyserver.ubuntu.com, though all keyservers should sync eventually), - Possibly documenting the change via an announcement on user@, dev@, and the Commons website. Are there any additional steps we should take? Since I haven’t signed any releases myself (in Logging Services the CI handles that), my signature wouldn’t add much value for end users, but perhaps it could be signed by other keys used for recent Commons releases. Is there an established procedure for signing code-signing keys? The usual approach (meeting in person to verify fingerprints and check a government-issued ID) doesn’t really apply here. After all, the ASF relies on social identity within the community rather than state-issued identification. However, we could sign your new key and send it to your ASF email address as a form of verification. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
