This guide aims to help release managers to set up a release-compliant local environment.
The content is partially taken from the Apache PLC4X project: https://plc4x.apache.org/developers/release/release.html
Updating KEYS file
(taken from Apache Pulsar: https://github.com/apache/pulsar/wiki/Create-GPG-keys-to-sign-release-artifacts)Further info:
...
...
This is a condensed version of instructions available at
The following steps are required in order to create a new GPG key and upload it to the KEYS file:
| Code Block |
|---|
| language | bash |
|---|
| title | Install GPG |
|---|
|
brew install gnupg |
...
| Code Block |
|---|
| language | bash |
|---|
| title | Check the version |
|---|
|
gpg --version
gpg (GnuPG) 2.1.22
libgcrypt 1.8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/nkurihar/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2 |
...
| Code Block |
|---|
| language | bash |
|---|
| title | Generate new GPG key. Note that |
|---|
|
...
| new RSA keys generated should be at |
|
...
|
# For 1.x or 2.0.x
gpg --gen-key
# For 2.1.x
gpg --full-gen-key
gpg (GnuPG) 2.1.22; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
|
...
(1) RSA and RSA (default)
|
...
...
...
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits |
...
Please specify how long the key should be valid.
|
...
...
<n> = key expires in n days
|
...
<n>w = key expires in n weeks
|
...
<n>m = key expires in n months
|
...
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
|
...
GnuPG needs to construct a user ID to identify your key.
Real name: test user
Email address: test@apache.org
Comment: CODE SIGNING KEY |
...
...
You selected this USER-ID:
|
...
"test user (CODE SIGNING KEY) <test@apache.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
|
...
The GPG key needs to be appended to KEYS file that is stored in 2 SVN locations, one for proper releases and one for the release candidates.
The credentials for SVN are the usual Apache account credentials.
| Code Block |
|---|
| language | bash |
|---|
| title | Upload to SVN |
|---|
|
# Checkout the SVN folder containing the KEYS file
svn co https://dist.apache.org/repos/dist/dev/incubator/ |
...
...
...
# Export the key in ascii format and append it to the file
( gpg --list-sigs |
...
$USER@apache.org
gpg --export --armor |
...
$USER@apache.org ) >> KEYS
# Commit to SVN
svn ci -m "Added gpg key for $USER" |
Repeat the same operation for the release KEYS file:
If you are not PMC, you can ignore it.
| Code Block |
|---|
| language | bash |
|---|
| title | Upload to release SVN |
|---|
|
svn co https://dist.apache.org/repos/dist/release/incubator/ |
...
...
...
# ... Same as above
( gpg --list-sigs |
...
$USER@apache.org
gpg --export --armor |
...
$USER@apache.org ) >> KEYS
# Commit to SVN
svn ci -m "Added gpg key for $USER" |
...
...
| key to a public key server |
|
# Use the key id to publish it to a public key server: |
...
gpg --send-key 8C75C738C33372AE198FD10CC238A8CAAC055FD2 |
Preparing the system for being able to release
...