> -----Original Message----- > From: Carl Marcum [mailto:cmar...@apache.org] > Sent: Tuesday, April 5, 2016 15:08 > To: dev@openoffice.apache.org > Subject: Re: [DISCUSS][VOTE] Release Groovy UNO Extension 0.1.4 > > On 04/05/2016 01:36 PM, Dennis E. Hamilton wrote: > > Side question. > > > >> -----Original Message----- > >> From: Carl Marcum [mailto:cmar...@apache.org] > >> Sent: Tuesday, April 5, 2016 04:07 > >> To: dev@openoffice.apache.org > >> Subject: [VOTE] Release Groovy UNO Extension 0.1.4 [ ... ] > >> I'm signing with a new 4096 bit key I recently added to KEYS. > >> > > [orcmid] > > > > I forgot to ask this when you mentioned the new key before. > > > > Carl, is the fingerprint of this new key added to your account > information at id.apache.org? > > > > I see only one entry for cmarcum at > <https://people.apache.org/keys/committer/> and that > > > > ASF ID: cmarcum > > LDAP PGP key: 8204 E089 64AC 9ABA 7472 A123 669C FA03 CED4 6810 > > > > pub 2048R/CED46810 2011-07-04 Carl Marcum <cmar...@apache.org> > > Key fingerprint = 8204 E089 64AC 9ABA 7472 A123 669C FA03 > CED4 6810 > > uid Carl Marcum > <carl.mar...@codebuilders.net> > > sub 2048R/3175CD6A 2011-07-04 > > > > is for your older 2048-bit key. (Note that you can have any number of > key signatures in your account record and you should probably not remove > any that have been used in signing releases or for any other situation > where confirmation is needed that the key is one of yous as an ASF > committer.) > > > > The committer keys file is automatically updated from PGP key > signatures and will reflect countersignatures on your key (circle of > trust attestations). If the key is ever revoked for any reason, that > will be discoverable there too unless the fingerprint or apache account > are removed. (Of course, you must publish your new 4069-bit public key > to a PGP key server for this to work.) > > > > As far as I know, public keys in release-archive KEYS files are not > automatically synchronized in that manner, although the one associated > with projects is, such as the one at > > <https://people.apache.org/keys/group/openoffice.asc>. This should > *not* be used as a release KEYS though. See > <https://people.apache.org/keys/> for details. > > > > What is needed in KEYS files for authenticating a release and stored > in the mirror directories is always cumulative, so any signature you > have used to sign a release (candidate) needs to be in the release- > associated KEYS file. It is nice to use the > > <https://people.apache.org/keys/committer/>-accessed version of the > key in our KEYS file because that one has the Useful descriptive > information as shown for your 2048-bit key, above. > > > > Note that keys that have not been used in signing release candidates > do not need to be in release-associated KEYS files and it is good > practice (and an useful precaution) to keep it that way. > > > > PS: None of this is a release blocker. But you can get the dots > connected before the [VOTE] concludes. I assume there is no further > reason to touch the KEYS file that you have already updated. > > > > - Dennis > > > > Hi Dennis, > > Thank you for the reminder. > > My new key was uploaded to public servers. ex. > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF1DA7E3B9553BF9A > > Before the vote I manually added it to > http://www.apache.org/dist/openoffice/KEYS > > I have just now added the new fingerprint to my profile at > https://id.apache.org/ > for reference it is: > pub 4096R/9553BF9A 2016-04-02 > Key fingerprint = 813A C3C2 48B3 F26F B5D1 EB32 F1DA 7E3B 9553 > BF9A > uid Carl Marcum (CODE SIGNING KEY) <cmar...@apache.org> > uid Carl Marcum (CODE SIGNING KEY) > <carl.mar...@codebuilders.net> > sub 4096R/D8524D84 2016-04-02 > > Is there now something that needs fixed? [orcmid]
I think you've covered all the bases, Carl. > > Thanks, > Carl > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
