Thanks for pointing that out, Penghui. I can confirm that my KEY is not signed.
While it's not the same as in person verification, I'll note that since becoming a committer I have signed all of my git commits with the same gpg key used to sign these release artifacts. At the very least, we can be confident that the author of those commits is also the author of these artifacts. :) Thanks, Michael On Wed, Feb 16, 2022 at 9:05 PM PengHui Li <peng...@apache.org> wrote: > > Thanks for the explanation Dave. > > Best, > Penghui > > On Thu, Feb 17, 2022 at 10:37 AM Dave Fisher <wave4d...@comcast.net> wrote: > > > While it’s preferred that KEYS are signed it’s not required. The last > > Apache key signing party was at Apachecon Las Vegas in 2019. Here’s looking > > forward to the next one. Bring your government ids. > > > > Regards, > > Dave > > > > Sent from my iPhone > > > > > On Feb 16, 2022, at 6:11 PM, PengHui Li <peng...@apache.org> wrote: > > > > > > Hi Michael, > > > > > > Please check your key > > > > > > ``` > > > gpg: assuming signed data in 'apache-pulsar-2.8.3-bin.tar.gz' > > > gpg: Signature made Wed Feb 16 04:49:42 2022 CST > > > gpg: using RSA key > > BD4291E509D771B79E7BD1F5C5724B3F5588C4EB > > > gpg: Good signature from "Michael Marshall <mmarsh...@apache.org>" > > [unknown] > > > gpg: WARNING: This key is not certified with a trusted signature! > > > gpg: There is no indication that the signature belongs to the > > > owner. > > > ``` > > > > > > I think it should be an issue that the key does not been signed? I'm not > > > sure. > > > > > > Thanks, > > > Penghui > > > > > >> On Thu, Feb 17, 2022 at 9:56 AM PengHui Li <peng...@apache.org> wrote: > > >> > > >> +1 (binding) > > >> > > >> - Checked the signature > > >> - Start the standalone > > >> - Publish and consume messages > > >> - Check the Cassandra connector > > >> - Check the stateful function > > >> > > >> Thanks for the great work, > > >> Penghui > > >> > > >> On Wed, Feb 16, 2022 at 12:35 PM Michael Marshall <mmarsh...@apache.org > > > > > >> wrote: > > >> > > >>> This is the second release candidate for Apache Pulsar, version 2.8.3. > > >>> > > >>> It fixes the following issues: > > >>> https://github.com/apache/pulsar/compare/v2.8.2...v2.8.3-candidate-2 > > >>> > > >>> *** Please download, test and vote on this release. This vote will stay > > >>> open > > >>> for at least 72 hours *** > > >>> > > >>> Note that we are voting upon the source (tag), binaries are provided > > for > > >>> convenience. > > >>> > > >>> Source and binary files: > > >>> > > https://dist.apache.org/repos/dist/dev/pulsar/pulsar-2.8.3-candidate-2/ > > >>> > > >>> SHA-512 checksums: > > >>> > > >>> > > >>> > > aa9fb934260e158fe6a30208324459dd747d32fbb52ee61a28a322c6161f3e21d2e97f61118ee0e82488720f7c7787233949ef9eb80567b83896f08b12c54090 > > >>> ./apache-pulsar-2.8.3-bin.tar.gz > > >>> > > >>> > > 47747e2cdc323c00fcdd08c537c77f355a94fbfaee77789718cb70e52726b7084522a842505e7eff1c1be26fddc850f2134d400a803854286ac8ea2f7cada121 > > >>> ./apache-pulsar-2.8.3-src.tar.gz > > >>> > > >>> Unofficial Docker images: > > >>> michaelmarshall/pulsar:2.8.3-rc2 > > >>> michaelmarshall/pulsar-all:2.8.3-rc2 > > >>> michaelmarshall/pulsar-standalone:2.8.3-rc2 > > >>> michaelmarshall/pulsar-grafana:2.8.3-rc2 > > >>> > > >>> Maven staging repo: > > >>> > > https://repository.apache.org/content/repositories/orgapachepulsar-1140/ > > >>> > > >>> The tag to be voted upon: > > >>> v2.8.3-candidate-2 (83a522f3a17d41eb3727ffee67cdf035e8ea471b) > > >>> https://github.com/apache/pulsar/releases/tag/v2.8.3-candidate-2 > > >>> > > >>> Pulsar's KEYS file containing PGP keys we use to sign the release: > > >>> https://dist.apache.org/repos/dist/dev/pulsar/KEYS > > >>> > > >>> Please download the source package, and follow the README to build > > >>> and run the Pulsar standalone service. > > >>> > > >> > > > >
