Re: [jetty-dev] Announcements of releases / signatures / location

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

That's me.

The machine I build releases from has had the same gpg key for the past 12 years.

Back when I was releasing parts of Apache Maven and Apache Archiva.

I need to make sure that Jetty release process is using project appropriate gpg keys.

https://github.com/eclipse/jetty.project/issues/1082

Updated the KEYS.txt for you, hope that helps.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Nov 7, 2016 at 11:01 AM, Tom Zeller <tzeller@xxxxxxxxxxxxxx> wrote:

Thank you for adding KEYS.txt[1], but I still don't see the
fingerprint I'm looking for :

gpg --verify jetty-distribution-9.3.14.v20161028.pom.asc
gpg: Signature made Fri 28 Oct 2016 03:53:10 PM EDT using DSA key ID 8FB67BAC
gpg: Good signature from "Joakim Erdfelt <joakime@xxxxxxxxxx>"
Primary key fingerprint: B59B 67FD 7904 9843 67F9  3180 0818 D9D6 8FB6 7BAC

[1] https://github.com/eclipse/jetty.project/blob/jetty-9.3.x/KEYS.txt :

# GPG Release Key Fingerprints
Jan Bartel AED5 EE6C 45D0 FE8D 5D1B 164F 27DE D4BF 6216 DB
Simone Bordet 8B09 6546 B1A8 F026 56B1 5D3B 1677 D141 BCF3 58
Joakim Erdfelt BFBB 21C2 46D7 7768 3628 7A48 A04E 0C74 ABB3 5F
Jesse McConnell 2A68 4B57 436A 81FA 8706 B53C 61C3 351A 438A 3B7D

> Now a KEYS file in our github repository is not a bad idea at all, I
> recently updated my keys and validated that we hadn't been dinged by that
> short id collision attack from a while back.  I'll create that KEYS file now
> on the 9.3.x branch and merge it forward.

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev