faq

This is a FAQ for the /dist/ PGP signature checker.

questions and answers

1. Q: What does the checker do ?

   A: The checker looks at artifacts in /dist/

   • it verifies all md5 checksums ;
   • it checks that the required PGP signatures (.asc) exist and verifies them.

2. Q: Which artifacts must be signed ?

   A: All the .jar, .pom, .tar.gz and .zip files.

3. Q: Public key not found ? Where does the checker look for keys ?

   A: The checker looks for keys in /www/people.apache.org/keys/committer/

   • If your key is missing, you should add your public pgp key using id.apache.org

   • Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
     on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
   • Look at /home/henkp/.pgpkey for an example.
   • Never, never store your private pgp key on people.apache.org

   • For now, the checker also looks for keys in KEYS files in www.apache.org/dist/ ;
     please note that KEYS files are deprecated.

4. Q: How often is /dist/ checked ?

   A: Every hour.

5. Q: Where does it say /dist/ artifacts have to be signed ?

   A: See the ASF policy, and motivation, on signing releases and other artifacts.

6. Q: How do I provide PGP signatures ?

   A: See the faq on release signing.

7. Q: How can a package and/or signature be BAD ?

   A: The combination of a file XXX and a signature file XXX.asc is BAD if

     gpg --verify XXX.asc XXX
   

   says it is a bad signature ; XXX and XXX.asc don't belong together.
   • A bad signature in /dist/ is reason for concern, and should be investigated,
     especially if XXX and XXX.asc did belong together in the past.
   • Perhaps someone maliciously changed file XXX.
   • Sometimes we have, indeed, a bad signature, but we may also have a bad file.

   A bad signature should be investigated and fixed as soon as possible.