Versions Compared

Old Version 1

changes.mady.by.user Wu Tao

Saved on

compared with

New Version Current

changes.mady.by.user wangdan Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Since GPG Key is used for releasing, this doc is for Release Manager.

To release a version, e.g 2.1.0, we need to prepare 3 files:

  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip # source package
  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip.asc # digital signature
  • apache-pegasus-2.1.0-

...

  • incubating-

...

  • src.zip.sha512 # checksum

This doc describes how to generate the "digital signature" file, which verifies if the package is signed by Apache PPMC

...

If this is not your first time configuring the GPG key, please skip to step4.


1.  Install gpg on your system. A Linux ditribution distribution usually has gpg preinstalled gpg.

➜ gpg --version


2. Generate a GPG Key. Please

...

notice the bold tips.

➜ gpg --full-gen-key # the results shown as follow

...


gpg: key 654XXXXA91BBXXXX marked as ultimately trusted
gpg: directory '/home/wutao1/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/wutao1/.gnupg/openpgp-revocs.d/45A0XXXF1XXB62663XX673C654EXX8A91XXX5AF.rev' 
public and secret key created and signed.

pub rsa4096 2020-09-05 [SC]
45A0735F19A8B62663AF673C654E588A91BB85AF
uid Tao Wu <wutao@apache.org>
sub rsa4096 2020-09-05 [E]


After the above steps, you have successfully created a GPG key.


3. Add your public key to Apache Pegasus's distribution repo.

➜ sudo apt install subversion 

➜ svn co https://dist.apache.org/repos/dist/dev/incubator/pegasus/ dist-dev-pegasus # The pegasus repo

➜ cd dist-dev-pegasus

➜ gpg --list-sigs "wutao@apache.org" >> KEYS && gpg --armor --export "wutao@apache.org" >> KEYS # Keys contains all the public keys of Release Manager

check your changes on file KEYS, it looks like:

$ LANGUAGE=en svn diff
Index: KEYS
===================================================================
--- KEYS (revision 48122)
+++ KEYS (working copy)
@@ -64,3 +64,62 @@
=x02o
-----END PGP PUBLIC KEY BLOCK-----

+pub rsa4096 2021-06-03 [SC]
+ C76F11B982545782BAD263259EC758F9DBA0FD3A
+uid [ultimate] Yingchun Lai <laiyingchun@apache.org>
+sig 3 9EC758F9DBA0FD3A 2021-06-03 Yingchun Lai <laiyingchun@apache.org>
+sub rsa4096 2021-06-03 [E]
+sig 9EC758F9DBA0FD3A 2021-06-03 Yingchun Lai <laiyingchun@apache.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGC5EBcBEADFuB1jZcQcqSmPP0fF36JG/OMv4K4jPN83WMvsEirQlgTd1Hkc
+cDzkBEyv2d9f2TYXUwJvy1JmTgqlsNOfiCQTJqx1lWX6CrRMhFleofQEVYtIXwnb
+1hp5nfnsHLK7tIXzSJ89pWp2dxxG4IO2br8m/HZ+o16zxhxUztXNzbEjA67NkFqf
+fHcxZ5w+aWjIY38Kk2ed+L2Sm7UFvwoMEE+6YMKJ4BBmhogZJtij7Pzfz39TL7/J
+Z2L4nseS4U1IqNZMCfygpntze2IKKdVJl6iRjoU7zzRNpKCbqV+KYzZQEU5H/fm2
+RHVQqxrjMlLbbWn/u79WIn1Q0IkLJkMn7sv9j2zVULk6SPbgWoPqIOuAbeI4qqyZ
+SkVsqJWdvYQVaH/eN6h9plMKfAZBtPNqKv7pq3JVERv7lQf38OhToG7fVR/YaQij
+pN1O7BtzMkQBxBVOy/C8ltjAMHiJC4eEmavdGCr+PB/IrUox0l9HT/x+TQMU+Gdc
+fWQGKXlW0vYuRfPwwTuNL7qnXyQkWNH2NrdvRcu+WB/Ms+Rt1nnEkYHLwq8G9Kl0
+jfdx363W77hvSJfm5D2DbfAgwVNkf/td1rpJzwhAErwYM9j+LbkLD+WPhbNDO1yT
+bD8eitxTOUpZT+FV3BiEpGe0HNQWS1Jyd0TQ1IAQNRQnW4Sx+3leBnf7VQARAQAB
+tCVZaW5nY2h1biBMYWkgPGxhaXlpbmdjaHVuQGFwYWNoZS5vcmc+iQJOBBMBCAA4
+FiEEx28RuYJUV4K60mMlnsdY+dug/ToFAmC5EBcCGwMFCwkIBwIGFQoJCAsCBBYC
+AwECHgECF4AACgkQnsdY+dug/Trn0RAAwTyDqgViRw6CmgFQfA7EUCN7Ck/CLHAr
+/rn3fN+9y83G/9FjR5Sj6tMZhv3I60ceJ2MjOGyM+QUZJpDhULcKHMKRCGh6GFav
+uggEEGv49qQNbj0a1mwtHsJsKumXyX6BIUycm7mStaDvQRg2FGTUjr4o4BwI9eMC
+TcGzUjaiib8JvW8ToQFuuXmuwfOe+OKCze+8Z3dz5uZRuvoLxUthHVakwaYwr+rz
+l0KrzXgTYYh/HNDdmh3awRbBvhGhAVRh+QLykEOBhsQqOngwNYXla5Rlvsk/bP+N
+UfdYLmnRJ9KLdN8YGlOOXzTt6reOBhNlrh8jH0HrBvNY6ejlJc6sS2AEjlHuBS3F
+Aqsl/xIbURHMSXXWyWVkhkZsIjCWq7Me0DdrOdRsBodETSdqAC5RhmzmfMBZhSzK
+BcENlxDZL86Iv85QR01Qc3AIT7+wjht7825hq9dHlkETEuKIy7sGWXJaiqPKoCTs
+GiU7+00Ij3scykkNa8SukJKxL02sq8C4uMxVnTtNulD1gxIK4qKY+CKk3llIsMCU
+RkNM4VFgI8pdKyfBefpfvv17fuLpqN2STM8jZW4w8FE5kkHpVmvaG7IOk3orllHg
+hvHYOTCNXanJfp4r+fPoZdSrCmN/EDqjKpDkG+uYvCVVp/b0AcjGTGOMM5IuD/oC
+LQsS8ahy9cW5Ag0EYLkQFwEQAMpTP1uX0LeLcUSx40l7i90hgTAX1+g0PLWpxyQB
+t0c5yGG2i3sazO/bpqaH21LFVs3gUhmTnxsAQqkBHbEpmS6adJiW9UKHMWQEbHG8
+Pufiqb+iJhBXYtAOtrH6vCW755GLQpyGBQrTTYttBp8IUMSbpX+imIes2zTbxRyb
+t3wWIc6yLWfSg3S9Ol5sw7sK10CF3k16WAP9IYzsJuh22Ei8dkUvBzj3D9Ll5NhE
+g0stzCijYhKqJgDf7LRYtphCJxusSF4P7pXGsQC/Jj5cX4raAk0vCr9egOvBSlQA
+m3S7QQYcf0AUniB+G3+9DRRF3bzc9Hauub6kxDb/2qoD2Pw6thxRjYt8Owf8bvn3
+Ab49m7/rHfQkFBbnJy6I2Ir/bNU7mYWkyDny1k5biEutmCHrDhpF1OAjUDNn+jZb
+UIeATzjP/5wziwpzSdlR2/6E08DyU/ghO6KlM8lNIp77NGyUcO5yGOvj8wt0Do5B
+BgVwzIQAsSGu3IJkoGoI/QCx9BVxP/Xg2WJmNyFBBWSkiIRSnoaE3/CSdHCJhqYn
+Kb3BcWhpOR7G5bvo86vmaf0g0nZ0DB1B8YOc1mw24ISaZmSmxfLfXWn9OkVPhQf4
+yzsrd8bb0i6Zm60eOk9C2Geyq3jck4YmWrVDZrars4ebgNUk52SSJYotnrMHltAi
+7reXABEBAAGJAjYEGAEIACAWIQTHbxG5glRXgrrSYyWex1j526D9OgUCYLkQFwIb
+DAAKCRCex1j526D9Oov2D/4mkrKtoHSJIrES0AP7379MmgHPdNq4JSKNuTrrbC1T
+05EcmQbnUu/snC4agLEnqPjlf5KIaWXNjPLDVJpfpn3ahIAQCZRDgGpfIhJZN9PE
+54ffTpeCovVdhWyu+dFeuZp44NMRSZUw4ROYv1VncV8fnMq3fIrwRJvpmSL5lsr6
+n0gKESWwrqBkRRu3je/E6gudKo8GGuRaxfgfU46l0jAkG19uv6MAW/Q26EcZFV6S
+pMHdwWuYIHW7xkwo7KAIJJ9U/Fc4NwjA7caYNzhJjsVo4BYYSeSb+csRsdAW4Olg
+Lo4FTP5c0A6EdzmCvaYDQw3hkC7tPpe/XKaPtDeSysJmrP69dCGyoRPrZYgcOQsj
+Abjz4soqzk8IRWavd2kZwXyDZ6uD8UFn0Q2UtAmVnRya6NuvcihujOtxtUjhlMkv
+8LcJ1dTghj+UgSu7Lh0jV4oM6m07TZBoI7BvgTCijy9DB1k8/K4rT0h6E0HOcePc
+eGvuXktoV5ggDrHXNR6xK1HZkVy9c2BqShmYsCwIg5A/3uGhZY2BLLs6UiRLOYuh
+QTsy8XBVYqZk6ZTJ9UI2fZYap6qi2YCo1CjQVaNHu5EBzvpCDACHdAI1K9BHN6RH
+/KRtOPrdERipElAXeXVb3bCbtf9evdyltDGBp56N7rI+yYPoPyHIb1LlnxG1OV97
+Sw==
+=f350
+-----END PGP PUBLIC KEY BLOCK-----

➜ svn commit # Upload your changes

Add a svn commit message like:

"pegasus KEYS: add laiyingchun's GPG public key"

And then, input your Apache ID's password to commit.


4. Sign your package (MOST IMPORTANT)

Suppose we have a package called "apache-pegasus-2.1.0-incubating-src.zip".

➜ export GPG_TTY=$(tty) # This can be added to your .bashrc/.zshrc

➜ gpg --local-user "wutao@apache.org" --armor --detach-sig apache-pegasus-2.1.0-incubating-src.zip # Create a digital signature. It will prompt you to input the password, that's the one you used to generate the PGP key

➜ gpg --verify apache-pegasus-2.1.0-incubating-src.zip.asc apache-pegasus-2.1.0-incubating-src.zip # Verify if all doing right.

gpg: Signature made 2020年09月07日 星期一 12时21分44秒 CST
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] # Correct!