Versions Compared

Old Version 4

changes.mady.by.user Dominik Riemer

Saved on

compared with

New Version Current

changes.mady.by.user Tim Bossenmaier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(taken from Apache Pulsar: https://github.com/apache/pulsar/wiki/Create-GPG-keys-to-sign-release-artifacts)


All artifacts must be signed by the release build. In order to be able to do this you need to setup GPG.

The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon is usually a great way to do this as usually every ApacheCon has a Key Signing event in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts. There’s a detailed description here.


Info
titleFurther Info

https://infra.apache.org/release-signing

This is a condensed version of instructions available at http://apache.org/dev/openpgp.html

...

https://www.apache.org/info/verification.html


The following steps are required in order to create a new GPG key and upload it to the KEYS file:

...

Code Block
languagebash
titleUpload to SVN
# Checkout the SVN folder containing the KEYS file
svn co https://dist.apache.org/repos/dist/dev/incubator/streampipes 


# Export the key in ascii format and append it to the file
( gpg --list-sigs $USER@apache.org
  gpg --export --armor $USER@apache.org ) >> KEYS

# Commit to SVN
svn ci -m "Added gpg key for $USER"

...

Repeat the same operation for the release KEYS file:

Info

If you are not PMC, you can ignore it.


Code Block
languagebash
titleUpload to release SVN
svn co https://dist.apache.org/repos/dist/release/incubator/streampipes 

# ... Same as above

( gpg --list-sigs $USER@apache.org
  gpg --export --armor $USER@apache.org ) >> KEYS

# Commit to SVN
svn ci -m "Added gpg key for $USER"

...

Code Block
languagebash
titlePublish key to a public key server
# Use the key id to publish it to a public key server:

gpg --send-key 8C75C738C33372AE198FD10CC238A8CAAC055FD2


Update KEYS file

If this is your first time as a RM, you need to add your GPG key to the KEYS file in the distribution directories:



Preparing the system for being able to release

...

So if you don’t already have one, you should create a .m2 directory in your user home and inside that create a settings.xml file with at least this content:

Code Block
languagexml
titleApache Repo Settings
<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <!-- Apache Repo Settings -->
    <server>
        <id>apache.snapshots.https</id>
        <username>{user-id}</username>
        <password>{user-pass}</password>
    </server>
    <server>
        <id>apache.releases.https</id>
        <username>{user-id}</username>
        <password>{user-pass}</password>
    </server>
  </servers>
</settings>


Warning

For security reasons, please refrain from adding your password in plain text here!
Maven provides a secure way to input passwords through encryption.
To understand how this works, refer to the information box below.


Expand
titleSecure password handling in maven
  1. Run mvn --encrypt-master-password
    Maven will ask you to prompt a master password that is used to encrypt all passwords handled/used by Maven.
    Once done, it prints the encrypted master password. Please copy the entire password (including braces!!).

  2. Create a settings-security.xml
    Create the file ${user.home}/.m2/settings-security.xml with the following content:

    <settingsSecurity>
    <master>[your-password-with-braces]</master>
    </settingsSecurity>

  3. Encrypt your Apache password
    Run mvn --encrypt-password
    Enter your password
    Copy the returned password (again including braces) and add it to the settings.xml as displayed above



This tells maven to use above credentials as soon as a repository with the id apache.snapshots.https or apache.releases.https is being used. For a release all you need is the releases repo, but it is good to have the other in place as it enables you to also deploy SNAPSHOTs from your system. There repos are defined in the apache parent pom and is identical for all Apache projects.

Additionally all artifacts are automatically signed by the release build. In order to be able to do this you need to setup GPG.

The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon is usually a great way to do this as usually every ApacheCon has a Key Signing event in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts.


There’s a detailed description here.Configure GPG for Maven:

If you happen to have multiple keys, adding the following profile to your settings.xml should help:


Code Block
languagexml
titleMaven GPG Settings
<profile>
  <id>apache-release</id>
  <properties>
    <gpg.keyname>5C60D6B9</gpg.keyname><!-- Your GPG Keyname here -->
    <!-- Use an agent: Prevents being asked for the password during the build -->
    <gpg.useagent>true</gpg.useagent>
    <gpg.passphrase>topsecret-password</gpg.passphrase>
  </properties>
</profile>


Warning

Please don't provide the passphrase here as plain text.
Instead encrypt it via Maven as shown above.