This is a FAQ for the /dist/ PGP signature checker.
questions and answers
- Q: What does the checker do ?
A: The checker looks at artifacts in /dist/
- it verifies all md5 checksums ;
- it checks that the required PGP signatures (.asc) exist and verifies them.
- Q: Which artifacts must be signed ?
A: All the .jar, .pom, .tar.gz and .zip files.
- Q: Public key not found ? Where does the checker look for keys ?
A: The checker looks for keys in /www/people.apache.org/keys/committer/
- If your key is missing, you should add your public pgp key using id.apache.org
- Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
- Look at /home/henkp/.pgpkey for an example.
- Never, never store your private pgp key on people.apache.org
- For now, the checker also looks for keys in KEYS files in www.apache.org/dist/ ;
please note that KEYS files are deprecated in that they could/should be generated
from the info maintained in id.apache.org.
- Q: How often is /dist/ checked ?
A: Every hour.
- Q: Where does it say /dist/ artifacts have to be signed ?
A: See the ASF policy, and motivation, on signing releases and other artifacts.
- Q: How do I provide PGP signatures ?
A: See the faq on release signing.
- Q: How can a package and/or signature be BAD ?
A: The combination of a file XXX and a signature file XXX.asc is BAD ifgpg --verify XXX.asc XXXsays it is a bad signature ; XXX and XXX.asc don't belong together.
- A bad signature in /dist/ is reason for concern, and should be investigated,
especially if XXX and XXX.asc did belong together in the past.
- Perhaps someone maliciously changed file XXX.
- Sometimes we have, indeed, a bad signature, but we may also have a bad file.
A bad signature should be investigated and fixed as soon as possible.