Re: Inconsistent GPG keys in dev and release repositories

Fri, 17 Feb 2023 01:06:41 -0800 

> When a new committer wants to cut a release they can ask for help to
the PMC to add their KEY to the "release" KEYS

I agree. We should only allow a PMC member to update the key.

> Seems that you didn't add your public key here [0].

Yes, I found this issue as well, my key is only added to the dev repo.

I will add the missed keys to the release repo.

Thanks,
Yunze

On Fri, Feb 17, 2023 at 4:52 PM Zike Yang <z...@apache.org> wrote:
>
> Hi, Yunze
>
> Seems that you didn't add your public key here [0]. There is an issue
> when verifying the Pulsar C++ Client 3.1.2 released files:
> ```
> ➜  pulsar-archive gpg --verify apache-pulsar-client-cpp-3.1.2.tar.gz.asc
> gpg: assuming signed data in 'apache-pulsar-client-cpp-3.1.2.tar.gz'
> gpg: Signature made 三  2/ 8 16:05:49 2023 CST
> gpg:                using RSA key 9FE9B4F8A2DFD44891CBA27442BB6AFB6CD26FA6
> gpg: Can't check signature: No public key
> ```
>
> I think you need to upload your kesy to [1].
>
> [0] https://archive.apache.org/dist/pulsar/KEYS
> [1] https://dist.apache.org/repos/dist/release/pulsar/KEYS
>
> BR,
> Zike Yang
>
> On Fri, Feb 17, 2023 at 4:22 PM Yunze Xu <y...@streamnative.io.invalid> wrote:
> >
> > Oh that's right. Then we have to update one of them.
> >
> > Thanks,
> > Yunze
> >
> > On Fri, Feb 17, 2023 at 3:02 PM Zike Yang <z...@apache.org> wrote:
> > >
> > > Hi, Yunze
> > >
> > > I think the KEYS file in the release repo is necessary. They are both
> > > used to verify the release file. Otherwise, the user will fail when
> > > checking the GPG signature on the release file.
> > >
> > > BR,
> > > Zike Yang
> > >
> > > On Fri, Feb 17, 2023 at 2:16 PM Yunze Xu <y...@streamnative.io.invalid> 
> > > wrote:
> > > >
> > > > Hi all,
> > > >
> > > > I found the GPG keys, which are used in verifying the signatures of
> > > > release candidates, are much different in dev and release
> > > > repositories:
> > > > https://dist.apache.org/repos/dist/dev/pulsar/KEYS
> > > > https://dist.apache.org/repos/dist/release/pulsar/KEYS
> > > >
> > > > From here [1], it seems like we need to append the GPG key of a
> > > > committer into the release repo as well. But it seems that the KEYS
> > > > file in the release repo is never used. Should we make them
> > > > consistent? Or just remove the KEYS file in release repo?
> > > >
> > > > [1] 
> > > > https://pulsar.apache.org/contribute/create-gpg-keys/#appending-the-key-to-keys-files

Reply via email to