Thinking of becoming a Release Manager for an ASF project? Or just want to join the GPG / PGP web of trust? Join us at the ACNA 2022 Key Signing!
This year's key signing will be a little different
TL;DR - Your key needs to be on your Github profile or listed at https://people.apache.org/keys/committer/ before you attend
Warm-up - Wednesday
Wednesday, 10:45am, during the coffee break
Meet at the piano by the lifts on level 2, near the registration desk
Key Signing - Thursday
Thursday, 10.25am, straight after the keynote during the coffee break
In the keynote room
Preparation Before Thursday
If you don't yet have a GPG key:
- See https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
- See https://infra.apache.org/openpgp.html
- Come on Wednesday in the coffee break and several volunteers will be on hand to help
If you are an Apache Committer:
- If your key shows at https://people.apache.org/keys/committer/ you are all set!
- Otherwise login to https://id.apache.org/ and add your key
- Come on Wednesday in the coffee break and several volunteers will be on hand to help
Otherwise attach to your Github profile:
- Follow https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-gpg-key-to-your-github-account
- Or just go to https://github.com/settings/keys and add your key
- Come on Wednesday in the coffee break and several volunteers will be on hand to help
On Thursday
To bring:
- Some photo ID
- Your laptop or phone, where you're logged into Apache or Github
- Something to take notes with, could be laptop/phone, could be pen+paper
When we meet up:
- Form 2 lines facing each other
- Pair up
- Check + Record:
- See the photo ID of the person opposite you
- See that the person owns the Apache or Github account
- Note down their Apache ID or Github ID
- Show them yours
- Move to the next person, wrapping the line when you reach the end
After the event:
- If Apache Committer get the key from https://people.apache.org/keys/committer/<name> eg https://people.apache.org/keys/committer/nick
- Otherwise get the key from https://github.com/<name.gpg> eg https://github.com/Gagravarr.gpg
- Import the public key with gpg --import thing-you-downloaded.asc
- Copy the Key ID of the key you just added eg 8AAF88D6D84E41AE
- Sign the public key ID with gpg --sign-key key-id-that-was-shown
- eg gpg --sign-key 8AAF88D6D84E41AE
- Push that key to a key server, eg gpg --send-key 8AAF88D6D84E41AE
A few days after the event
Fetch your key back from the key servers, and see lots of new signatures on it!
You will note that we aren't sharing long lists of fingerprints like in past years. We are relying on ASF Infrastructure and Github to handle the secure distribution of the keys, and instead focus on verifying the individual and their ownership of their accounts