ReleaseSigning

References

• Apache Release Signing: http://www.apache.org/dev/release-signing.html
• GNU Privacy Handbook http://www.gnupg.org/gph/en/manual.html
• Verifying HTTPD Releases: http://httpd.apache.org/dev/verification.html
• Cygwin has gnupg 1.4.1-1 http://www.cygwin.com/
• http://quotedprintable.com/articles/2005/10/23/gpg-quickstart-guide
• Maven GPG Plugin http://maven.apache.org/plugins/maven-gpg-plugin/
• Older scripts for signing files
  • Script to recursively sign files: http://gleamynode.net/wordpress/archives/129 -> ReleaseSignRecursive
  • Similar script to recursively sign files: http://maven.apache.org/maven-1.x/developers/making-releases.html
• ApacheCon EU 2006 key signing: http://ken.coar.org/burrow/index?entry=2221;words=all;sanitise=false;comments=true;comments=true

Useful Commands

• Generating a key pair
  • http://www.gnupg.org/gph/en/manual.html#AEN26

  $ gpg --gen-key
    (accept the defaults)

• Generating a revocation certificate
  • http://www.gnupg.org/gph/en/manual.html#REVOCATION
  • ('mykey' is a key specifier-- any part of the uid will do.)
  • Print this and save it somewhere in case you ever need to revoke the key.

  $ gpg --output revoke.asc --gen-revoke mykey

• Adding a key to a text file (usually called KEYS)

  $ (gpg --fingerprint --list-sigs <your name> && gpg --armor --export <your name>) >> filename

• Retrieving keys and verifying the signature of a release

  $ wget http://www.apache.org/dist/struts/KEYS
  $ gpg --import KEYS
  $ gpg --verify struts-shale-1.0.0.zip.asc struts-shale-1.0.0.zip

• Pointing gpg somewhere other than ~/.gnupg with homedir
  • http://library.n0i.net/cryptography%20-%20security/gnupg-handbook/r1616.html

  $ gpg --homedir /cygdrive/e/wsmoak/.gnupg
       or
  $ export GNUPGHOME=/cygdrive/e/wsmoak/.gnupg

• Signing a file

  $ gpg --armor --output foo.tar.gz.asc --detach-sig foo.tar.gz 

Note: Signing artifacts and distributions can be done with the Maven GPG Plugin

Public Key Servers

• http://pgpkeys.mit.edu/
  • Paste the output of the following into the box, and submit

  $ gpg --armor --export yourid@apache.org