You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Since GPG Key is used for releasing, this doc is for Release Manager.

To release a version, e.g 2.1.0, we need to prepare 3 files:

  • apache-pegasus-2.1.0-incubating-src.zip # source package
  • apache-pegasus-2.1.0-incubating-src.zip.asc # digital signature
  • apache-pegasus-2.1.0-incubating-src.zip.sha512 # checksum

This doc describes how to generate the "digital signature" file, which verifies if the package is signed by Apache PPMC

Steps

If this is not your first time configuring the GPG key, please skip to step4.


1.  Install gpg on your system. A Linux distribution usually has gpg preinstalled.

➜ gpg --version


2. Generate a GPG Key. Please notice the bold tips.

➜ gpg --full-gen-key # the results shown as follow

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1 # Must set this value
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096 # Must set this value
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) # Press enter
Key does not expire at all
Is this correct? (y/N) y # Confirm

GnuPG needs to construct a user ID to identify your key.

Real name: Tao Wu # Your full name
Email address: wutao@apache.org # Your apache mail address
Comment: # Leave empty here
You selected this USER-ID:
"Tao Wu <wutao@apache.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O # Confirm
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy. #  It will prompt with a password box. You need to record this password somewhere secure.


gpg: key 654XXXXA91BBXXXX marked as ultimately trusted
gpg: directory '/home/wutao1/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/wutao1/.gnupg/openpgp-revocs.d/45A0XXXF1XXB62663XX673C654EXX8A91XXX5AF.rev' 
public and secret key created and signed.

pub rsa4096 2020-09-05 [SC]
45A0735F19A8B62663AF673C654E588A91BB85AF
uid Tao Wu <wutao@apache.org>
sub rsa4096 2020-09-05 [E]


After the above steps, you have successfully created a GPG key.


3. Add your public key to Apache Pegasus's distribution repo.

➜ sudo apt install subversion 

➜ svn co https://dist.apache.org/repos/dist/dev/incubator/pegasus/ dist-dev-pegasus # The pegasus repo

➜ cd dist-dev-pegasus

➜ gpg --list-sigs "wutao@apache.org" >> KEYS && gpg --armor --export "wutao@apache.org" >> KEYS # Keys contains all the public keys of Release Manager

check your changes on file KEYS, it looks like:

$ LANGUAGE=en svn diff
Index: KEYS
===================================================================
--- KEYS (revision 48122)
+++ KEYS (working copy)
@@ -64,3 +64,62 @@
=x02o
-----END PGP PUBLIC KEY BLOCK-----

+pub rsa4096 2021-06-03 [SC]
+ C76F11B982545782BAD263259EC758F9DBA0FD3A
+uid [ultimate] Yingchun Lai <laiyingchun@apache.org>
+sig 3 9EC758F9DBA0FD3A 2021-06-03 Yingchun Lai <laiyingchun@apache.org>
+sub rsa4096 2021-06-03 [E]
+sig 9EC758F9DBA0FD3A 2021-06-03 Yingchun Lai <laiyingchun@apache.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGC5EBcBEADFuB1jZcQcqSmPP0fF36JG/OMv4K4jPN83WMvsEirQlgTd1Hkc
+cDzkBEyv2d9f2TYXUwJvy1JmTgqlsNOfiCQTJqx1lWX6CrRMhFleofQEVYtIXwnb
+1hp5nfnsHLK7tIXzSJ89pWp2dxxG4IO2br8m/HZ+o16zxhxUztXNzbEjA67NkFqf
+fHcxZ5w+aWjIY38Kk2ed+L2Sm7UFvwoMEE+6YMKJ4BBmhogZJtij7Pzfz39TL7/J
+Z2L4nseS4U1IqNZMCfygpntze2IKKdVJl6iRjoU7zzRNpKCbqV+KYzZQEU5H/fm2
+RHVQqxrjMlLbbWn/u79WIn1Q0IkLJkMn7sv9j2zVULk6SPbgWoPqIOuAbeI4qqyZ
+SkVsqJWdvYQVaH/eN6h9plMKfAZBtPNqKv7pq3JVERv7lQf38OhToG7fVR/YaQij
+pN1O7BtzMkQBxBVOy/C8ltjAMHiJC4eEmavdGCr+PB/IrUox0l9HT/x+TQMU+Gdc
+fWQGKXlW0vYuRfPwwTuNL7qnXyQkWNH2NrdvRcu+WB/Ms+Rt1nnEkYHLwq8G9Kl0
+jfdx363W77hvSJfm5D2DbfAgwVNkf/td1rpJzwhAErwYM9j+LbkLD+WPhbNDO1yT
+bD8eitxTOUpZT+FV3BiEpGe0HNQWS1Jyd0TQ1IAQNRQnW4Sx+3leBnf7VQARAQAB
+tCVZaW5nY2h1biBMYWkgPGxhaXlpbmdjaHVuQGFwYWNoZS5vcmc+iQJOBBMBCAA4
+FiEEx28RuYJUV4K60mMlnsdY+dug/ToFAmC5EBcCGwMFCwkIBwIGFQoJCAsCBBYC
+AwECHgECF4AACgkQnsdY+dug/Trn0RAAwTyDqgViRw6CmgFQfA7EUCN7Ck/CLHAr
+/rn3fN+9y83G/9FjR5Sj6tMZhv3I60ceJ2MjOGyM+QUZJpDhULcKHMKRCGh6GFav
+uggEEGv49qQNbj0a1mwtHsJsKumXyX6BIUycm7mStaDvQRg2FGTUjr4o4BwI9eMC
+TcGzUjaiib8JvW8ToQFuuXmuwfOe+OKCze+8Z3dz5uZRuvoLxUthHVakwaYwr+rz
+l0KrzXgTYYh/HNDdmh3awRbBvhGhAVRh+QLykEOBhsQqOngwNYXla5Rlvsk/bP+N
+UfdYLmnRJ9KLdN8YGlOOXzTt6reOBhNlrh8jH0HrBvNY6ejlJc6sS2AEjlHuBS3F
+Aqsl/xIbURHMSXXWyWVkhkZsIjCWq7Me0DdrOdRsBodETSdqAC5RhmzmfMBZhSzK
+BcENlxDZL86Iv85QR01Qc3AIT7+wjht7825hq9dHlkETEuKIy7sGWXJaiqPKoCTs
+GiU7+00Ij3scykkNa8SukJKxL02sq8C4uMxVnTtNulD1gxIK4qKY+CKk3llIsMCU
+RkNM4VFgI8pdKyfBefpfvv17fuLpqN2STM8jZW4w8FE5kkHpVmvaG7IOk3orllHg
+hvHYOTCNXanJfp4r+fPoZdSrCmN/EDqjKpDkG+uYvCVVp/b0AcjGTGOMM5IuD/oC
+LQsS8ahy9cW5Ag0EYLkQFwEQAMpTP1uX0LeLcUSx40l7i90hgTAX1+g0PLWpxyQB
+t0c5yGG2i3sazO/bpqaH21LFVs3gUhmTnxsAQqkBHbEpmS6adJiW9UKHMWQEbHG8
+Pufiqb+iJhBXYtAOtrH6vCW755GLQpyGBQrTTYttBp8IUMSbpX+imIes2zTbxRyb
+t3wWIc6yLWfSg3S9Ol5sw7sK10CF3k16WAP9IYzsJuh22Ei8dkUvBzj3D9Ll5NhE
+g0stzCijYhKqJgDf7LRYtphCJxusSF4P7pXGsQC/Jj5cX4raAk0vCr9egOvBSlQA
+m3S7QQYcf0AUniB+G3+9DRRF3bzc9Hauub6kxDb/2qoD2Pw6thxRjYt8Owf8bvn3
+Ab49m7/rHfQkFBbnJy6I2Ir/bNU7mYWkyDny1k5biEutmCHrDhpF1OAjUDNn+jZb
+UIeATzjP/5wziwpzSdlR2/6E08DyU/ghO6KlM8lNIp77NGyUcO5yGOvj8wt0Do5B
+BgVwzIQAsSGu3IJkoGoI/QCx9BVxP/Xg2WJmNyFBBWSkiIRSnoaE3/CSdHCJhqYn
+Kb3BcWhpOR7G5bvo86vmaf0g0nZ0DB1B8YOc1mw24ISaZmSmxfLfXWn9OkVPhQf4
+yzsrd8bb0i6Zm60eOk9C2Geyq3jck4YmWrVDZrars4ebgNUk52SSJYotnrMHltAi
+7reXABEBAAGJAjYEGAEIACAWIQTHbxG5glRXgrrSYyWex1j526D9OgUCYLkQFwIb
+DAAKCRCex1j526D9Oov2D/4mkrKtoHSJIrES0AP7379MmgHPdNq4JSKNuTrrbC1T
+05EcmQbnUu/snC4agLEnqPjlf5KIaWXNjPLDVJpfpn3ahIAQCZRDgGpfIhJZN9PE
+54ffTpeCovVdhWyu+dFeuZp44NMRSZUw4ROYv1VncV8fnMq3fIrwRJvpmSL5lsr6
+n0gKESWwrqBkRRu3je/E6gudKo8GGuRaxfgfU46l0jAkG19uv6MAW/Q26EcZFV6S
+pMHdwWuYIHW7xkwo7KAIJJ9U/Fc4NwjA7caYNzhJjsVo4BYYSeSb+csRsdAW4Olg
+Lo4FTP5c0A6EdzmCvaYDQw3hkC7tPpe/XKaPtDeSysJmrP69dCGyoRPrZYgcOQsj
+Abjz4soqzk8IRWavd2kZwXyDZ6uD8UFn0Q2UtAmVnRya6NuvcihujOtxtUjhlMkv
+8LcJ1dTghj+UgSu7Lh0jV4oM6m07TZBoI7BvgTCijy9DB1k8/K4rT0h6E0HOcePc
+eGvuXktoV5ggDrHXNR6xK1HZkVy9c2BqShmYsCwIg5A/3uGhZY2BLLs6UiRLOYuh
+QTsy8XBVYqZk6ZTJ9UI2fZYap6qi2YCo1CjQVaNHu5EBzvpCDACHdAI1K9BHN6RH
+/KRtOPrdERipElAXeXVb3bCbtf9evdyltDGBp56N7rI+yYPoPyHIb1LlnxG1OV97
+Sw==
+=f350
+-----END PGP PUBLIC KEY BLOCK-----

➜ svn commit # Upload your changes


4. Sign your package (MOST IMPORTANT)

Suppose we have a package called "apache-pegasus-2.1.0-incubating-src.zip".

➜ export GPG_TTY=$(tty) # This can be added to your .bashrc/.zshrc

➜ gpg --local-user "wutao@apache.org" --armor --detach-sig apache-pegasus-2.1.0-incubating-src.zip # Create a digital signature

➜ gpg --verify apache-pegasus-2.1.0-RC1-source-release.zip.asc apache-pegasus-2.1.0-incubating-src.zip # Verify if all doing right.

gpg: Signature made 2020年09月07日 星期一 12时21分44秒 CST
gpg: using RSA key B29EB88AD60BB41EC9D82687B1DA1BBC34C617A9
gpg: issuer "wutao@apache.org"
gpg: Good signature from "Tao Wu <wutao@apache.org>" [ultimate] # Correct!



  • No labels