Hi, Yunze I think the KEYS file in the release repo is necessary. They are both used to verify the release file. Otherwise, the user will fail when checking the GPG signature on the release file.
BR, Zike Yang On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <y...@streamnative.io.invalid> wrote: > > Hi all, > > I found the GPG keys, which are used in verifying the signatures of > release candidates, are much different in dev and release > repositories: > https://dist.apache.org/repos/dist/dev/pulsar/KEYS > https://dist.apache.org/repos/dist/release/pulsar/KEYS > > From here [1], it seems like we need to append the GPG key of a > committer into the release repo as well. But it seems that the KEYS > file in the release repo is never used. Should we make them > consistent? Or just remove the KEYS file in release repo? > > [1] > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files
