This guide aims to help release managers to set up a release-compliant local environment.
The content is partially taken from the Apache PLC4X project: https://plc4x.apache.org/developers/release/release.html
Updating KEYS file
Updating KEYS file
(taken from Apache Pulsar: https://github.com/apache/pulsar/wiki/Create-GPG-keys-to-sign-release-artifacts)
All artifacts must be signed by the release build. In order to be able to do this you need to setup GPG.
The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon
is usually a great way to do this as usually every ApacheCon has a Key Signing event
in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts. There’s a detailed description here.
The following steps are required in order to create a new GPG key and upload it to the KEYS file:
Code Block |
---|
language | bash |
---|
title | Install GPG |
---|
|
brew install gnupg |
Code Block |
---|
language | bash |
---|
title | Set configuration to use SHA512 keys by default. |
---|
|
mkdir ~/.gnupg
echo <<< EOL
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
EOL >> ~/.gnupg/gnupg.conf
chmod 700 ~/.gnupg/gnupg.conf |
Code Block |
---|
language | bash |
---|
title | Check the version |
---|
|
gpg --version
gpg (GnuPG) 2.1.22
libgcrypt 1.8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/nkurihar/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2 |
Code Block |
---|
language | bash |
---|
title | Generate new GPG key. Note that new RSA keys generated should be at least 4096 bits. |
---|
|
# For 1.x or 2.0.x
gpg --gen-key
# For 2.1.x
gpg --full-gen-key
gpg (GnuPG) 2.1.22; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: test user
Email address: test@apache.org
Comment: CODE SIGNING KEY
You selected this USER-ID:
"test user (CODE SIGNING KEY) <test@apache.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
<Enter passphrase>
|
The GPG key needs to be appended to KEYS
file that is stored in 2 SVN locations, one for proper releases and one for the release candidates.
The credentials for SVN are the usual Apache account credentials.
Code Block |
---|
language | bash |
---|
title | Upload to SVN |
---|
|
# Checkout the SVN folder containing the KEYS file
svn co https://dist.apache.org/repos/dist/dev/streampipes
# Export the key in ascii format and append it to the file
( gpg --list-sigs $USER@apache.org
gpg --export --armor $USER@apache.org ) >> KEYS
# Commit to SVN
svn ci -m "Added gpg key for $USER" |
Repeat the same operation for the release KEYS file:
Info |
---|
If you are not PMC, you can ignore it. |
Code Block |
---|
language | bash |
---|
title | Upload to release SVN |
---|
|
svn co https://dist.apache.org/repos/dist/release/streampipes
# ... Same as above
( gpg --list-sigs $USER@apache.org
gpg --export --armor $USER@apache.org ) >> KEYS
# Commit to SVN
svn ci -m "Added gpg key for $USER" |
Code Block |
---|
language | bash |
---|
title | Publish key to a public key server |
---|
|
# Use the key id to publish it to a public key server:
gpg --send-key 8C75C738C33372AE198FD10CC238A8CAAC055FD2 |
Update KEYS file
If this is your first time as a RM, you need to add your GPG key to the KEYS file in the distribution directories:
- Install an SVN client
- Checkout the following directories:
- Export your GPG public key and paste the output to the KEYS file in both directories:
- gpg --list-keys (and find your key id)
- gpg --list-sigs YOUR_KEY_ID && gpg --armor --export YOUR_KEY_ID
- Commit your changes to SVN
...
Preparing the system for being able to release
...
So if you don’t already have one, you should create a .m2
directory in your user home and inside that create a settings.xml
file with at least this content:
Code Block |
---|
language | xml |
---|
title | Apache Repo Settings |
---|
|
<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<servers>
<!-- Apache Repo Settings -->
<server>
<id>apache.snapshots.https</id>
<username>{user-id}</username>
<password>{user-pass}</password>
</server>
<server>
<id>apache.releases.https</id>
<username>{user-id}</username>
<password>{user-pass}</password>
</server>
</servers>
</settings> |
Warning |
---|
For security reasons, please refrain from adding your password in plain text here! Maven provides a secure way to input passwords through encryption. To understand how this works, refer to the information box below. |
Expand |
---|
title | Secure password handling in maven |
---|
|
- Run
mvn --encrypt-master-password
Maven will ask you to prompt a master password that is used to encrypt all passwords handled/used by Maven. Once done, it prints the encrypted master password. Please copy the entire password (including braces!!).
- Create a
settings-security.xml
Create the file ${user.home}/.m2/settings-security.xml with the following content:
<settingsSecurity> <master>[your-password-with-braces]</master> </settingsSecurity>
- Encrypt your Apache password
Run mvn --encrypt-password Enter your password Copy the returned password (again including braces) and add it to the settings.xml as displayed above
|
This tells maven to use above credentials as soon as a repository with the id apache.snapshots.https
or apache.releases.https
is being used. For a release all you need is the releases
repo, but it is good to have the other in place as it enables you to also deploy SNAPSHOTs from your system. There repos are defined in the apache
parent pom and is identical for all Apache projects.
Additionally all artifacts are automatically signed by the release build. In order to be able to do this you need to setup GPG.
The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon
is usually a great way to do this as usually every ApacheCon has a Key Signing event
in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts.
There’s a detailed description here.Configure GPG for Maven:
If you happen to have multiple keys, adding the following profile to your settings.xml
should help:
Code Block |
---|
language | xml |
---|
title | Maven GPG Settings |
---|
|
<profile>
<id>apache-release</id>
<properties>
<gpg.keyname>5C60D6B9</gpg.keyname><!-- Your GPG Keyname here -->
<!-- Use an agent: Prevents being asked for the password during the build -->
<gpg.useagent>true</gpg.useagent>
<gpg.passphrase>topsecret-password</gpg.passphrase>
</properties>
</profile> |
Warning |
---|
Please don't provide the passphrase here as plain text. Instead encrypt it via Maven as shown above. |