Apache feather logo with text Public key files

ASF committers can add key fingerprints to their LDAP record using the Self-service web application.
Only the fingerprints are stored in the LDAP record.
The corresponding keys must be uploaded to a public key server.

Committer public key files

The files in the Committer keys directory are autogenerated from LDAP records and grouped by ASF id.
(The public keys are downloaded from a public key server using the fingerprints from LDAP)

Project public key files

The files in the Project keys directory are generated from the Committer keys, and grouped by project/podling.
Project membership is determined from the LDAP unix and committee groups (not committee-info.txt) and the current podlings listing from Whimsy.

Note: the project group files are not directly suitable for use as KEYS files for authenticating releases - i.e. they should not be linked from download pages.
This is because:

Individual committer key details can be copied from the committer or group files into the project KEYS file.
To keep the KEYS file manageable, it's recommended to only add the keys of committers who have signed releases.