This document focuses on how to certify other people's keys.
Note that Apache requires a face-to-face signature. The procedure is to first check one's ID and then authenticate the person.
This article is referenced from: https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84
The commands in this article are gpg on some computers and gpg2 on others.
Step 1 Download one's keys
You need to know the ID of ones’ keys, for example, they can run code in the below on their computers:gpg2 --list-keys
The results seen are like:
pub rsa4096 2019-09-25 [SC]
BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
uid [ultimate] Xiangdong Huang (Apache IoTDB release signing key) <hxd@apache.org>
sub rsa4096 2019-09-25 [E]
Of which BA45 .... .889 is the KEY.
Then receiving their keys onto your own computer:
gpg2 --recv-keys BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
Then the work is all set.
NOTICE!!!! It is possible that --recv-keys never downloads the key in China, in which case the following scheme can be used.
- ask the person for his publickey or search for his key on the internet (use email on the key server)
- store the content of this publickey in a local file.
- import the key: gpg2 --import file
Step 2 Signature
gpg2 --sign-key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
Then just type y.
Be sure to note that this will show what key you signed with, and if it turns out that it's not your apache key (like if you have multiple keys), then things will become a little tricky.
You might use gpg2 --edit-key BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 to deal with this problem specifically. I prefer to deal with it in a rough way which is deleting the other keys and then re-gpg2 --sign-key.
Step 3 Exporting the key
gpg2 -a --export BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 | gpg2 -se -r BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 > ~/tmp/ BA45CDBB87E8B146A81F5BBE2206EF8F64C35889.asc.pgp
Step 4 Send to the other party
Just send the email.
Step 5 (for the other side) Unzip, import, and upload again
gpg2 --decrypt BA45CDBB87E8B146A81F5BBE2206EF8F64C35889.asc.pgp
gpg2 --import BA45CDBB87E8B146A81F5BBE2206EF8F64C35889.asc
gpg2 --send-keys BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 (This step is not feasible in China, please refer to the How to Release post for instructions on uploading).
Step 6 (for the other side) unzip, import, and upload again
If you are the release manager for Apache IoTDB, you need to upload your keys to the keys file (https://www.apache.org/dist/incubator/iotdb/KEYS):
Then execute:
gpg2 --list-sigs BA45CDBB87E8B146A81F5BBE2206EF8F64C35889 && gpg2 --armor --export BA45CDBB87E8B146A81F5BBE2206EF8F64C35889
Paste the output to the end of the KEYS. And then just upload the new version of the file to SVN (see the documentation of How to Release).