This is a FAQ for the /dist/ PGP signature checker.

questions and answers

  1. Q: What does the checker do ?

    A: The checker looks at artifacts in /dist/

    • it verifies all md5 checksums ;
    • it checks that the required PGP signatures (.asc) exist and verifies them.

  2. Q: Which artifacts must be signed ?

    A: All the .jar, .pom, .tar.gz and .zip files.

  3. Q: Public key not found ? Where does the checker look for keys ?

    A: The checker looks for keys in /www/people.apache.org/keys/committer/

    • If your key is missing, you should add your public pgp key using id.apache.org

    • Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
      on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
    • Look at /home/henkp/.pgpkey for an example.
    • Never, never store your private pgp key on people.apache.org

    • For now, the checker also looks for keys in KEYS files in www.apache.org/dist/ ;
      please note that KEYS files are deprecated in that they could/should be generated
      from the info maintained in id.apache.org.

  4. Q: How often is /dist/ checked ?

    A: Every hour.

  5. Q: Where does it say /dist/ artifacts have to be signed ?

    A: See the ASF policy, and motivation, on signing releases and other artifacts.

  6. Q: How do I provide PGP signatures ?

    A: See the faq on release signing.

  7. Q: How can a package and/or signature be BAD ?

    A: The combination of a file XXX and a signature file XXX.asc is BAD if

      gpg --verify XXX.asc XXX
    says it is a bad signature ; XXX and XXX.asc don't belong together.

    • A bad signature in /dist/ is reason for concern, and should be investigated,
      especially if XXX and XXX.asc did belong together in the past.
    • Perhaps someone maliciously changed file XXX.
    • Sometimes we have, indeed, a bad signature, but we may also have a bad file.

    A bad signature should be investigated and fixed as soon as possible.

Sat Feb 11 13:13:59 UTC 2012 Valid HTML 4.01 Transitional