Apache feather logo with text Public key files

ASF committers can add key fingerprints to their LDAP record using the SelfServe or Whimsy web application.
Only the fingerprints are stored in the LDAP record.
The corresponding keys must be uploaded to a public key server.

Committer public key files

The files in the Committer keys directory are autogenerated once a day from LDAP records and grouped by ASF id.
(The public keys are downloaded from a public key server using the fingerprints from LDAP)
Note that LDAP currently contains some entries which are the short key id (8 hex chars) rather than the full fingerprint (40 chars).
These key id entries are ignored because they are not guaranteed unique; and it has been shown that they can be spoofed.
If your key does not appear in your .asc file, check that the whole fingerprint is present.
Also check that there are no leading or trailing spaces (embedded spaces are OK) because LDAP encodes these (and some other apps may not be able to decode them)

Project public key files

Project group files are no longer created. They are not suitable for use as KEYS files for authenticating releases
This is because:

Individual committer key details can be copied from the committer or group files into the project KEYS file.
To keep the KEYS file manageable, it's recommended to only add the keys of committers who have signed releases.