apache

faq

This is a FAQ for the maven repo PGP signature checker.

questions and answers

  1. Q: What's a FAQ ?

    A: A FAQ is a list of Frequently Asked Questions (and answers) ; see FAQ on wikipedia.

  2. Q: What does the checker do ?

    A: The checker looks in the maven repo at artifacts that are less than four weeks old ;
    it checks that a PGP signature (.asc) exists and, if so, verifies it.

  3. Q: Which artifacts must be signed ?

    A: All the .jar, .pom, .tar.gz and .zip files.

  4. Q: Public key not found ? Where does the checker look for keys ?

    A: The checker looks for keys in /www/people.apache.org/keys/committer/

    • If your key is missing, you should add your public pgp key using id.apache.org

    • Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
      on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
    • Look at /home/henkp/.pgpkey for an example.
    • Never, never store your private pgp key on people.apache.org

  5. Q: How often is the repo checked ?

    A: Twice a day.

  6. Q: Where does it say repo artifacts have to be signed ?

    A: See the ASF policy on release signing.

  7. Q: How do I provide PGP signatures ?

    A: Use a release profile that includes the pgp plugin. The one used for maven components is discussed in Releasing A Maven Project ;
    for geronimo see geronimo-server-release-process. There are plenty of other examples at apache. [Thanks to David Jencks for providing this answer]

  8. Q: How can a package and/or signature be BAD ?

    A: The combination of a file XXX and a signature file XXX.asc is BAD if

      gpg --verify XXX.asc XXX
    
    says it is a bad signature ; XXX and XXX.asc don't belong together.

    • For the repo a bad signature is reason for concern, and should be investigated,
      especially if XXX and XXX.asc did belong together in the past.
    • Perhaps someone maliciously changed file XXX.
    • Sometimes we have, indeed, a bad signature, but we may also have a bad file.

    A bad signature should be investigated and fixed as soon as possible.

comments


Fri Jun 17 08:48:46 UTC 2011 Valid HTML 4.01 Transitional