...
Create keys needed to sign the release
If you do not have a key setup up for Apache, do it now
Create your key
Create your key that can be used to sign releases: http://www.apache.org/dev/openpgp.html#generate-key.
Remember to store your private key is a secure place.
For example:
gpg --gen-key (verify that sha1 is avoided (last on list – see above web site)
gpg -k (shows public key)
gpg -K (shows private key)
Upload your public key to a public key server
Recommend using: http://pgp.mit.edu/ keyserver
For example:
gpg --send-keys <keyID> --keyserver pgp.mit.edu
Create a revocation certificate
It is recommended that you create a revocation certification: http://www.apache.org/dev/openpgp.html#revocation-certs
Remember to store it in a secure place separate from your key
For example:
gpg --output revoke-<keyD>.asc --armor --gen-revoke <keyID>
Add your key the the KEYS file
You need to be a committer to perform this step:
svn co https://dist.apache.org/repos/dist/release/incubator/trafodion traf_release
cd traf_release
gpg --list-sigs <keyID> >> KEYS
gpg -armor –export <keyID>
svn commit –m “added new public key to KEYS file“
Preparing the artifacts
Prepare for a new release
...