We have two KEYS files stored on https://dist.apache.org one in the Release directory and one in the Dev directory.
Apache Release Distribution Policy (https://infra.apache.org/release-download-pages.html) requires and on the Download page (https://pulsar.apache.org/en/download/) we refer to https://downloads.apache.org/pulsar/KEYS which is correct. However all of our recent releases are signed with the file here https://dist.apache.org/repos/dist/dev/pulsar/KEYS The wiki on releases needs to indicate that we should update the release keys and never remove a key the has ever been used to sign a Pulsar release. These updates need to be done by a PMC member. I have merged the dev KEYS into the release KEYS. % gpg --import KEYS gpg: key 7B6A6401BF99B4A3: "Matteo Merli (CODE SIGNING KEY) <mme...@apache.org>" not changed gpg: key C238A8CAAC055FD2: "Matteo Merli <mme...@apache.org>" not changed gpg: key 3956248899767A23: "rdhabalia <rdhaba...@apache.org>" not changed gpg: key F260D7EDE4EECE23: "Joe Francis (CODE SIGNING KEY) <j...@apache.org>" not changed gpg: key A92D27AAC3D80414: "Nozomi Kurihara (CODE SIGNING KEY) <nkuri...@apache.org>" not changed gpg: key C8A00D9222DE9ECF: "Yuki Shiga (CODE SIGNING KEY) <yush...@apache.org>" not changed gpg: key 167F106C5D529B4D: "Masahiro Sakamoto (CODE SIGNING KEY) <massa...@apache.org>" not changed gpg: key CF2A679717747AD4: "Hiroyuki Sakai (CODE SIGNING KEY) <hrsa...@apache.org>" not changed gpg: key 7BA1A64CBBC114EC: "Jai Asher (CODE SIGNING KEY) <j...@apache.org>" not changed gpg: key 5B3FBDB4FD74402C: "Sijie Guo <si...@apache.org>" not changed gpg: key C69517E5621D7F5F: "Jerry Peng (CODE SIGNING KEY) <jerryp...@apache.org>" not changed gpg: key 772D77990D717CBC: "Penghui Li (CODE SIGNING KEY) <peng...@apache.org>" not changed gpg: key BC86116ED3F5E291: "Jia Zhai (3...) <zhai...@apache.org>" not changed gpg: key C238A8CAAC055FD2: "Matteo Merli <mme...@apache.org>" not changed gpg: key 3956248899767A23: "rdhabalia <rdhaba...@apache.org>" not changed gpg: key F260D7EDE4EECE23: "Joe Francis (CODE SIGNING KEY) <j...@apache.org>" not changed gpg: key A92D27AAC3D80414: "Nozomi Kurihara (CODE SIGNING KEY) <nkuri...@apache.org>" not changed gpg: key C8A00D9222DE9ECF: "Yuki Shiga (CODE SIGNING KEY) <yush...@apache.org>" not changed gpg: key 167F106C5D529B4D: "Masahiro Sakamoto (CODE SIGNING KEY) <massa...@apache.org>" not changed gpg: key CF2A679717747AD4: "Hiroyuki Sakai (CODE SIGNING KEY) <hrsa...@apache.org>" not changed gpg: key 7BA1A64CBBC114EC: "Jai Asher (CODE SIGNING KEY) <j...@apache.org>" not changed gpg: key 5B3FBDB4FD74402C: "Sijie Guo <si...@apache.org>" not changed gpg: key C69517E5621D7F5F: "Jerry Peng (CODE SIGNING KEY) <jerryp...@apache.org>" not changed gpg: key 577C07CA867AE910: "guangning (Apache Committer) <guangn...@apache.org>" not changed gpg: key B49DF828AFC9A442: "xiaolong (CODE SIGNING KEY) <r...@apache.org>" not changed gpg: key FAAF93DC8E90A118: "Yong Zhang (APACHE CODE SIGNING KEY) <y...@apache.org>" not changed gpg: key BC86116ED3F5E291: "Jia Zhai (3...) <zhai...@apache.org>" not changed gpg: key 577C07CA867AE910: "guangning (Apache Committer) <guangn...@apache.org>" not changed gpg: key B49DF828AFC9A442: "xiaolong (CODE SIGNING KEY) <r...@apache.org>" not changed gpg: key FAAF93DC8E90A118: "Yong Zhang (APACHE CODE SIGNING KEY) <y...@apache.org>" not changed gpg: key DC08637CA615D22C: "Enrico Olivelli <eolive...@apache.org>" not changed gpg: key 6B59B6A7804AB38D: "Addison Higham (CODE SIGNING KEY) <addis...@apache.org>" not changed gpg: key D3FA67D522C55256: "Lari Hotari (CODE SIGNING KEY) <lhot...@apache.org>" not changed gpg: key E8D2ED3D0C2FA918: "congbo <bog...@apache.org>" not changed gpg: key 7408747E09CAB5E5: "congbo (congbobo184) <bog...@apache.org>" not changed gpg: key 6BD513735EDFBA3A: "bogong (congbobo184) <bog...@apache.org>" not changed gpg: key A641378C97944D34: public key "chenhang (CODE SIGNING KEY) <chenh...@apache.org>" imported gpg: key 2C9C4267F240F95A: public key "Chris Kellogg (CODE SIGNING KEY) <cckell...@apache.org>" imported gpg: key 249DF015663A88B9: public key "linlin <lin...@apache.org>" imported gpg: key 61931C9DB84C4F2A: public key "technoboy (CODE SIGNING KEY) <techno...@apache.org>" imported gpg: key 61931C9DB84C4F2A: "technoboy (CODE SIGNING KEY) <techno...@apache.org>" not changed gpg: key 46F42383EB24F7AA: public key "ran gao <r...@apache.org>" imported gpg: key BC33A6A32F90D558: public key "ran gao (CODE SIGNING KEY) <r...@apache.org>" imported gpg: key C5724B3F5588C4EB: public key "Michael Marshall <mmarsh...@apache.org>" imported gpg: key BC8E5EDA35763362: public key "Li Li (CODE SIGNING KEY) <urf...@apache.org>" imported gpg: key 5847FC5592B9FCC8: public key "Rui Fu (CODE SIGNING KEY) <r...@apache.org>" imported gpg: Total number processed: 46 gpg: imported: 9 gpg: unchanged: 37 All the best, Dave
