...
Apache CloudStack uses PGP signatures as one way of insuring and verifying the integrity of our releases. This works best when there is a well established web of trust ( http://en.wikipedia.org/wiki/Web_of_trust_ ) that verifies the authenticity of the keys in question.
...
You'll obviously need a PGP key of your own. The Fedora Project has excellent documentation for doing this in Linux: http://fedoraproject.org/wiki/Creating_GPG_Keys
For other operating systems see this page: https://help.riseup.net/en/howto-gpg-keys
Once you have your keypair you should send your public key to david+gpgkeysigning@gnsa.us before Sunday.
...