Apache feather logo with text Public key files

ASF committers can add key fingerprints to their LDAP record using the SelfServe web application.
Only the fingerprints are stored in the LDAP record.
The corresponding keys must be uploaded to a public key server.

Committer public key files

The files in the Committer keys directory are autogenerated once a day from LDAP records and grouped by ASF id.
(The public keys are downloaded from a public key server using the fingerprints from LDAP)
Note that the SelfServe web app currently contains some entries which are the short key id (8 hex chars) rather than the full fingerprint (40 chars).
These key id entries are ignored because they are not guaranteed unique; and it has been shown that they can be spoofed.
If your key does not appear in your .asc file, check that the whole fingerprint is present.
Also check that there are no leading or trailing spaces (embedded spaces are OK) because LDAP encodes these (and some other apps may not be able to decode them)

Project public key files

The files in the Project keys directory are generated from the Committer keys, and grouped by project/podling.
Project membership is determined from the current projects (and podlings) listing from Whimsy.

Note: the project group files are not directly suitable for use as KEYS files for authenticating releases - i.e. they should not be linked from download pages.
This is because:

Individual committer key details can be copied from the committer or group files into the project KEYS file.
To keep the KEYS file manageable, it's recommended to only add the keys of committers who have signed releases.