THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This scary looking warning can be eliminated if the signing keys for our releases are part of the web-of-trust.
- https://infra.apache.org/release-signing.html#valid-untrusted-vs-invalid-trusted
- https://infra.apache.org/release-signing.html#web-of-trust
Despite "key signing parties", I believe one should only ask for your keys to be signed by people you know and interact with routinely. (Some reasoning about this here: https://baturin.org/notes/signing-parties/)
...
Here are the steps. 4 linux command lines are involved
...
Warning
...
: I am not sure how this differs for MS-Windows or Apple users.
Our release process requires those signing releases to put their GPG keys into the KEYS file in Daffodil.
...
pub rsa4096/274B8F1413A680AF 2018-08-16 [SC]
Key fingerprint = 4B6A 956D 3ED3 6502 6880 2E37 274B 8F14 13A6 80AF
uid Michael J. Beckerle (Code Signing Key) <mbeckerle@apache<mbeckerle@...org>
If you trust that this is my identity you can sign my public key via these steps.
...
Verify the pub key for me is same as the one you see above :from the KEYS file, and then....
gpg --list-keys --fingerprint 274B8F1413A680AF
...
Sign my key with yours. (Someone else signs yours the same way.) Note this is going to prompt you for your private key "pass phrase" allowing it to use your private key.
Hopefully you still have this pass phrase somewhere protected. Copy the pass phrase (e.g., to the clip-board) before you issue this command:
...