Thank you again Ádám and Victor! Bummer about the PGP keys hiccups -- I'm confident we can sort this all out. I'm more worried about making sure the build contents are valid so hopefully we can move on to that step soon.
James and I fixed the KEYS file together earlier today (US/Pacific time)--the problem was the missing newline in James's armored public key data block--this is what I identified/mentioned in my previous email <https://lists.apache.org/thread/wbzyo7o4qlfl8yyh3l4gkjgfoj1fpd96>. My improve-keys.patch fixes it, but please ignore that patch, I need to take another look at it tomorrow (I may have made a mistake, my eyes and hands are too tired right now to be trusted). The minimal fix in r75241 will do for the time being -- James's key in the KEYS file is valid now. But only in the "dev" area! https://dist.apache.org/repos/dist/dev/fineract/KEYS is fixed https://dist.apache.org/repos/dist/release/fineract/KEYS is still broken This difference in these two files is a nuance of the Apache release process we're using (their subversion setup for test/dev/release distribution). After reviewing their keys policy <https://infra.apache.org/release-signing.html#keys-policy> I suggest deleting the "dev" KEYS file and fixing the "release" KEYS file. I can think of one good reason to delete the dev one (hooray single source of truth!), and no good reasons to maintain both. James, I'm happy to pair with you to fix this. Ádám Sághy: 4F16 9FF2 63F5 F98E is James's key ID and BD58 EA9F 8520 1ADB 52CF C044 4F16 9FF2 63F5 F98E is the full fingerprint. Notice how those two strings overlap. I believe the missing uid is an annoying "feature" of openpgp's keyserver. They require you to answer an email challenge to include a uid, so James will have to do that if he wants to get his keys in sync. Since the KEYS file is now valid, that's the best place to get his key. Please grab the latest copy. For example: curl https://dist.apache.org/repos/dist/dev/fineract/KEYS | gpg --import Per PGP best practices, James must be the one to verify the fingerprint for his key, over a communications channel you both trust. Then he gets your public key and verifies your fingerprint, then you both trust and sign each others' keys (hooray web of trust!). The typical / ideal way to do this is a keysigning party in person. Since we basically span the globe, just checking fingerprints and release candidate signature validity is probably the best we can do until we're all able to get together and share some fun times. I do suggest everyone brush up on PGP skills. I'd be honored to do a little tutorial on that if folks are interested. This is useful even/also for non-Apache projects. Anyway, hopefully now we can get to running the build and war. Anyone else get as far as running the build and running the war? Victor wrote: > I found that the testing on binaryDistTar task is taking my JVM locale > (which is es-MX), so then changing the locale to en-US fixes it. Huh! Ok, I'm not really familiar with the nuance there. I'd hope it would work in both, but I know the build env settings are super fickle so I'm not surprised. Did the build succeed? Victor: should your PRs hold up the release? James: I just noticed you have another key up on the keys.openpgp.org keyserver, and that one *does* include a uid. Fingerprint is 849F 00D7 F9ED B744 CCE3 9EF8 B394 C742 765F 8757. I think we made it before the new year? I suggest revoking that one.
