...
- GPG should be configured to use your Apache code signing key by default
- I always ensured
c:/temp/libs
was empty so that the build had to download all the dependencies - This does not include the signing of the Windows installer, which must be done using https://one.digicert.com/ and https://infra.apache.org/digicert-use.html which is automated during the build process once the Tomcat PMC key is accessible by using jsign
- The logs for the Windows signing are in ~/.signingmanager/logs on Linux
Upload the release
Upload the contents of TOMCAT_9_0_XX/output/release
to https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/
...