ACNA22-GPGKeySigning

Thinking of becoming a Release Manager for an ASF project? Or just want to join the GPG / PGP web of trust? Join us at the ACNA 2022 Key Signing!

This year's key signing will be a little different

TL;DR - Your key needs to be on your Github profile or listed at https://people.apache.org/keys/committer/ before you attend

Warm-up - Wednesday

Wednesday, 10:45am, during the coffee break

Meet at the piano by the lifts on level 2, near the registration desk

Key Signing - Thursday

Thursday, 10.25am, straight after the keynote during the coffee break

In the keynote room

Preparation Before Thursday

If you don't yet have a GPG key:

• See https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
• See https://infra.apache.org/openpgp.html
• Come on Wednesday in the coffee break and several volunteers will be on hand to help

If you are an Apache Committer:

• If your key shows at https://people.apache.org/keys/committer/ you are all set!
• Otherwise login to https://id.apache.org/ and add your key
• Come on Wednesday in the coffee break and several volunteers will be on hand to help

Otherwise attach to your Github profile:

• Follow https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account
• Or just go to https://github.com/settings/keys and add your key
• Come on Wednesday in the coffee break and several volunteers will be on hand to help

On Thursday

To bring:

• Some photo ID
• Your laptop or phone, where you're logged into Apache or Github
• Something to take notes with, could be laptop/phone, could be pen+paper

When we meet up:

• Form 2 lines facing each other
• Pair up
• Check + Record:
  • See the photo ID of the person opposite you
  • See that the person owns the Apache or Github account
  • Note down their Apache ID or Github ID
  • Show them yours
• Move to the next person, wrapping the line when you reach the end

After the event:

• If Apache Committer get the key from https://people.apache.org/keys/committer/<name> eg https://people.apache.org/keys/committer/nick
• Otherwise get the key from https://github.com/<name.gpg> eg https://github.com/Gagravarr.gpg
• Import the public key with gpg --import thing-you-downloaded.asc
• Copy the Key ID of the key you just added eg 8AAF88D6D84E41AE
• Sign the public key ID with gpg --sign-key key-id-that-was-shown
  • eg gpg --sign-key 8AAF88D6D84E41AE
• Push that key to a key server, eg gpg --send-key 8AAF88D6D84E41AE

A few days after the event

Fetch your key back from the key servers, and see lots of new signatures on it!

You will note that we aren't sharing long lists of fingerprints like in past years. We are relying on ASF Infrastructure and Github to handle the secure distribution of the keys, and instead focus on verifying the individual and their ownership of their accounts