Piotr, I agree with what you said, however, it might be that we should spend less time on PGP. Many years ago I read Filippo's "I'm giving up on pgp" [1], and it convinced me PGP was not the future.
>Finding a signature from the old key on the new one serves as evidence >that the change was *intentional*. Technically, as long as the key is referenced on commons.apache.org website (KEYS file), it is enough evidence. There's no standard on publishing signing keys (there's Web Key Directory draft, yet it is not easily applicable), so different projects end up with different strategies as seen in [2] >I agree that PGP is not the future, but right now it’s what we have, and >we should keep it alive for backward compatibility with users who still >rely on it. Asking for extra a ceremony for something that is phasing out might not be the best idea. I do have some user-level experience with PGP verification: I authored Checksum Dependency Plugin for verifying Apache JMeter builds in 2019 which later inspired Gradle's dependency verification [3]. Verifying individual PGP keys and analyzing if they are cross-signed would take lots of time. >Such a revocation certificate would be used I'm afraid OpenPGP does not have trusted timestamps, so it is hard to trust the revocation timestamp. At the same time, keys are cached aggressively because keyservers are very unstable. The clients won't notice revocations unless they re-download keys. The solution for revocation seems to be using short-lived keys just like Let's Encrypt does not do revocations. Short-lived PGP keys are somewhat hard. >In the Logging Services PMC we *don't* have direct access to our release >signing key Yeah, generating PGP key in Actions and keeping it in GitHub secrets is the way to go. Frankly, I see no reason ASF Infra team should have direct access to the key: [4] [1] https://words.filippo.io/giving-up-on-long-term-pgp/ [2] https://github.com/junit-team/junit-framework/issues/2020 [3] https://docs.gradle.org/6.2/release-notes.html#dependency-verification [4] https://github.com/vlsi/provision-release-pgp-key Vladimir
