THIS STUFF HAS NOW BEEN ADDED TO THE DocBook CONTRIBUTORS GUIDE.
Some background notes:
These are my notes of the steps required.
Install and configure GnuPG
Download GnuPG, http://www.gnupg.org/download/
- 1.4.10 or higher
Edit ~/.gnupg/gpg.conf so that the default is to generate a strong key
- on Windows, the file to edit is C:\Users\xxx\AppData\Roaming\gnupg\gpg.conf
Generate RSA keys, 4096 bits
Specify key length as 4096 bits:
Specify duration of key validity:
Enter your name, email and comment:
- You should use your apache.org email
- the comment should be "CODE SIGNING KEY"
Provide a passphrase:
The keys are generated.
The public key with id nnnnnnnn is stored in ~/.gnupg/pubring.pgp.
- on Windows 7, this is in c:/Users/xxx/AppData/Roaming/gnupg/pubring.pgp
The key Id is the one true way to identify the key, and is also the last 8 digits of the fingerprint.
The corresponding secret key for id nnnnnnnn is stored in ~/.gnupg/secring.pgp.
- on Windows 7, this is in c:/Users/xxx/AppData/Roaming/gnupg/secring.pgp
There are also a couple of other files here, including trustdb.gpg and random_seed.
These files are all important, so backup outside of your computer.
Check key has been correctly generated
Use the 'showpref' subcommand to list details:
The Digest line should list SHA-512 first and SHA-1 last.
Use 'quit' to return to the command prompt.
Generate Revocation Certifications
It's good practice to generate a number of revocation certificates so that the key can be revoked if it happens to be compromised.
First, generate a "no reason specified" key:
Select "no reason specified"
Provide a comment:
The file 'revoke-nnnnnnnn-0.asc' should be created:
Then, backup this file.
Now repeat the process to create two further revocation certificates:
- gpg --output revoke-nnnnnnnn-1.asc --armor --gen-revoke nnnnnnnn
- specify reason as "1 = Key has been compromised"
- gpg --output revoke-nnnnnnnn-3.asc --armor --gen-revoke nnnnnnnn
- specify reason as "3 = Key is no longer used"
Backup these files also.
nb: if you find that you need to revoke your certificate, this blog post explains how
Publish Public Key to Key server
It is also necessary to publish your key to a public key server, eg MIT (http://pgp.mit.edu). Apparently the public key servers synchronize with each other, so this should be sufficient.
So, browse to http://pgp.mit.edu/ and paste in the armored representation of your key (ie as generated by gpg --armor --export nnnnnnnn) into the field:
where nnnnnnnn is the key Id
Confirm the key has been added by browsing to submitting the following URL http://pgp.mit.edu:11371/pks/lookup?search=0xnnnnnnnnn&op=vindex
where nnnnnnnn is the key Id
Save Public Key to Apache Repositories
Update the .pgpkey file in your home directory on people.apache.org with an ASCII armored public key export of the key:
scp 'd the file into your home directory on people.apache.org.
Copy the same file to be available under a standard URL:
scp this file into ~/public_html on people.apache.org (so that it is accessible via http://people.apache.org/~username/nnnnnnnn.asc).
First, check out the committers/info directory:
Now, obtain the fingerprint of your key:
Go to Apache FOAF-a-matic to generate the FOAF file text (we copy this text out in a minute):
- enter ASF ID
- enter First name, Last name
- for PGP key fingerprints, add Key
- paste in the key id
- paste in the fingerprint
- press "Create"
In the box below, you should have a FOAF file, something like:
(If you are creating the FOAF file for the first time, you may want to add additional details).
From this, copy out the wot:key, and paste into your FDF file in committers/info:
Then, manually add in a <wot:pubkeyAddress> element within <wot:PubKey>:
ie, referencing your publically exported public key
Finally, commit your changes.
Save Public Key to Apache Isis' SVN Repo
- http://maven.apache.org/developers/release/pmc-gpg-keys.html as reference...
- nb: this is specific for Maven developers
- for us, we should edit the Isis KEYS file.
The key Id and "armored" (ie ASCII) representation of the public key should be saved to Isis' Keys file https://svn.apache.org/repo/asf/incubator/isis/KEYS
The instructions are at the top of the file; if using gpg then:
where nnnnnnnn is the ID of the key
Attend a Key Signing Party to get public key added to the Apache "web of trust"
Although your public key can be used to sign releases ReleaseProcess, this is discouraged until you've had your public key counter-signed by others in the Apache Community.
This is usually done via a Key signing party, eg as described here: http://wiki.apache.org/apachecon/PgpKeySigning.