Skip to end of metadata
Go to start of metadata


PGP keys are required for releasing artifacts, as described for the ReleaseProcess, although not (as I now understand it) for the ManualDeployProcessForSnapshots.

Some background notes:

These are my notes of the steps required.

Install and configure GnuPG


Download GnuPG,

  • 1.4.10 or higher

Edit ~/.gnupg/gpg.conf so that the default is to generate a strong key

  • on Windows, the file to edit is C:\Users\xxx\AppData\Roaming\gnupg\gpg.conf

Generate Keys


Generate RSA keys, 4096 bits

Specify RSA:

Specify key length as 4096 bits:

Specify duration of key validity:

Enter your name, email and comment:

  • You should use your email
  • the comment should be "CODE SIGNING KEY"

Provide a passphrase:

The keys are generated.

The public key with id nnnnnnnn is stored in ~/.gnupg/pubring.pgp.

  • on Windows 7, this is in c:/Users/xxx/AppData/Roaming/gnupg/pubring.pgp

The key Id is the one true way to identify the key, and is also the last 8 digits of the fingerprint.

The corresponding secret key for id nnnnnnnn is stored in ~/.gnupg/secring.pgp.

  • on Windows 7, this is in c:/Users/xxx/AppData/Roaming/gnupg/secring.pgp

There are also a couple of other files here, including trustdb.gpg and random_seed.

These files are all important, so backup outside of your computer.

Check key has been correctly generated

Use the 'showpref' subcommand to list details:

The Digest line should list SHA-512 first and SHA-1 last.

Use 'quit' to return to the command prompt.

Generate Revocation Certifications


It's good practice to generate a number of revocation certificates so that the key can be revoked if it happens to be compromised.

First, generate a "no reason specified" key:

Select "no reason specified"

Provide a comment:

Provide passphrase:

The file 'revoke-nnnnnnnn-0.asc' should be created:

Then, backup this file.

Now repeat the process to create two further revocation certificates:

  • gpg --output revoke-nnnnnnnn-1.asc --armor --gen-revoke nnnnnnnn
  • specify reason as "1 = Key has been compromised"
  • gpg --output revoke-nnnnnnnn-3.asc --armor --gen-revoke nnnnnnnn
  • specify reason as "3 = Key is no longer used"

Backup these files also.

nb: if you find that you need to revoke your certificate, this blog post explains how

Publish Public Key to Key server


It is also necessary to publish your key to a public key server, eg MIT ( Apparently the public key servers synchronize with each other, so this should be sufficient.

So, browse to and paste in the armored representation of your key (ie as generated by gpg --armor --export nnnnnnnn) into the field:

where nnnnnnnn is the key Id

Confirm the key has been added by browsing to submitting the following URL

where nnnnnnnn is the key Id

Save Public Key to Apache Repositories



Update the .pgpkey file in your home directory on with an ASCII armored public key export of the key:

scp 'd the file into your home directory on

Standard URL

Copy the same file to be available under a standard URL:

scp this file into ~/public_html on (so that it is accessible via


First, check out the committers/info directory:

Now, obtain the fingerprint of your key:

Go to Apache FOAF-a-matic to generate the FOAF file text (we copy this text out in a minute):

  • enter ASF ID
  • enter First name, Last name
  • for PGP key fingerprints, add Key
  • paste in the key id
  • paste in the fingerprint
  • press "Create"

In the box below, you should have a FOAF file, something like:

(If you are creating the FOAF file for the first time, you may want to add additional details).

From this, copy out the wot:key, and paste into your FDF file in committers/info:

Then, manually add in a <wot:pubkeyAddress> element within <wot:PubKey>:

ie, referencing your publically exported public key

Finally, commit your changes.

Save Public Key to Apache Isis' SVN Repo


The key Id and "armored" (ie ASCII) representation of the public key should be saved to Isis' Keys file

The instructions are at the top of the file; if using gpg then:

where nnnnnnnn is the ID of the key

Then commit.

Attend a Key Signing Party to get public key added to the Apache "web of trust"

Although your public key can be used to sign releases ReleaseProcess, this is discouraged until you've had your public key counter-signed by others in the Apache Community.

This is usually done via a Key signing party, eg as described here:

  • No labels