Versions Compared

Old Version 1

changes.mady.by.user Wu Tao

Saved on

compared with

New Version 2

changes.mady.by.user Wu Tao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Since GPG Key is used for releasing, this doc is for Release Manager.

To release a version, e.g 2.1.0, we need to prepare 3 files:

  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip # source package
  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip.asc # digital signature
  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip.sha512 # checksum

This doc describes how to generate the "digital signature" file, which verifies if the package is signed by Apache PPMC

...

If this is not your first time configuring the GPG key, please skip to step4.


1.  Install gpg on your system. A Linux ditribution distribution usually has gpg preinstalled gpg.

➜ gpg --version


2. Generate a GPG Key. Please note the bold tips.

➜ gpg --full-gen-key # the results shown as follow

...


gpg: key 654XXXXA91BBXXXX marked as ultimately trusted
gpg: directory '/home/wutao1/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/wutao1/.gnupg/openpgp-revocs.d/45A0XXXF1XXB62663XX673C654EXX8A91XXX5AF.rev' 
public and secret key created and signed.

pub rsa4096 2020-09-05 [SC]
45A0735F19A8B62663AF673C654E588A91BB85AF
uid Tao Wu <wutao@apache.org>
sub rsa4096 2020-09-05 [E]


After the above steps, you have successfully created a GPG key.


3. Add your public key to Apache Pegasus's distribution repo.

➜ sudo apt install subversion 

➜ svn co https://dist.apache.org/repos/dist/dev/incubator/pegasus/ dist-dev-pegasus # The pegasus repo

➜ cd dist-dev-pegasus

➜ gpg --list-sigs "wutao@apache.org" && gpg --armor --export "wutao@apache.org" >> KEYS # Keys contains all the public keys of Release Manager

➜ svn commit # Upload your changes


Suppose we have a package called "apache-pegasus-2.1.0-incubating-src.zip".

➜ export GPG_TTY=$(tty) # This can be added to your .bashrc/.zshrc

➜ gpg --local-user "wutao@apache.org" --armor --detach-sig apache-pegasus-2.1.0-incubating-src.zip # Create a digital signature

➜ gpg --verify apache-pegasus-2.1.0-RC1-source-release.zip.asc apache-pegasus-2.1.0-incubating-src.zip # Verify if all doing right.

gpg: Signature made 2020年09月07日 星期一 12时21分44秒 CST
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] # Correct!