content/release-signing/index.html - incubator-retired-quickstep-site - Git at Google

 <!DOCTYPE html>
 <html lang="en">

   <head>
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1">

   <title>Release Signing</title>
   <meta name="description" content="Apache (incubating) Quickstep is a next-generation data processing platform. Built from to ground up to take advantage of modern hardware, Quickstep is desig...">

   <link rel="stylesheet" href="/assets/main.css">
   <link rel="canonical" href="http://localhost:4000/release-signing/">
   <link rel="alternate" type="application/rss+xml" title="Quickstep" href="/feed.xml">


 </head>


   <body>

     <header class="site-header" role="banner">

   <div class="wrapper">

     <a class="site-title" href="/">Quickstep</a>

     <nav class="site-nav">
       <span class="menu-icon">
         <svg viewBox="0 0 18 15" width="18px" height="15px">
           <path fill="#424242" d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.031C17.335,0,18,0.665,18,1.484L18,1.484z"/>
           <path fill="#424242" d="M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0c0-0.82,0.665-1.484,1.484-1.484 h15.031C17.335,6.031,18,6.696,18,7.516L18,7.516z"/>
           <path fill="#424242" d="M18,13.516C18,14.335,17.335,15,16.516,15H1.484C0.665,15,0,14.335,0,13.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.031C17.335,12.031,18,12.696,18,13.516L18,13.516z"/>
         </svg>
       </span>

       <div class="trigger">


           <a class="page-link" href="/about/">About</a>


           <a class="page-link" href="/release-signing/">Release Signing</a>


       </div>
     </nav>

   </div>

 </header>


     <main class="page-content" aria-label="Content">
       <div class="wrapper">
         <article class="post" itemscope itemtype="http://schema.org/BlogPosting">

   <header class="post-header">
     <h1 class="post-title" itemprop="name headline">Release Signing</h1>
     <p class="post-meta"><time datetime="2017-01-17T12:29:09-06:00" itemprop="datePublished">Jan 17, 2017</time> • <span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Marc</span></span></p>
   </header>

   <div class="post-content" itemprop="articleBody">
     <h1 id="who-needs-to-sign">Who Needs to Sign?</h1>

 <p>If you are a release manager, you will need to digitally sign the release tarball.</p>

 <h1 id="where-can-i-learn-more">Where can I learn more?</h1>

 <p>These instructions are derived from the <a href="https://www.apache.org/dev/release-signing.html">apache guide</a> on release signing. You’ll need to know how to do the steps presented in this guide if you are a release manager.</p>

 <ul>
   <li>
     <p>A good overview of why we sign is <a href="http://mirror-vm.apache.org/~henkp/trust/">here</a>. It explains the concept of <em>web of trust</em>.</p>
   </li>
   <li>
     <p>An excellent example of another Apache project’s release guide is <a href="https://cwiki.apache.org/confluence/display/IMPALA/DRAFT%3A+How+to+Release">here</a>.</p>
   </li>
 </ul>

 <h1 id="why-does-this-seem-so-complicated">Why does this seem so complicated?</h1>

 <p>Learning how to use public/private key crypto is not as simple as learning how to send an email. Granted, it’s also not as hard as learning c++, so there’s reason to be thankful.</p>

 <p>I think a large part of why this process seems complicated is that you must be familiar with a fairly technical concept and at the same time learn yet another command line tool. This meaning you’ll have to learn about asymetric cryptography as well as the tool which implements the algorithms, either pgp, gpg, or kpgp.</p>

 <p>Keep hope, and do please note that, as per the apache guide,</p>

 <blockquote>
   <p>Applied cryptography is a subject that has considerable depth. Luckily, it’s possible to get started signing releases without being an expert. Just remember that (from time to time) you will encounter situations that will require research and learning. Hopefully the <a href="https://www.apache.org/dev/release-signing.html#faq">FAQ</a> will be a reasonable first port of call.</p>
 </blockquote>

 <h1 id="how-do-i-sign-a-release">How do I sign a release?</h1>

 <h2 id="generate-a-key">Generate a key</h2>

 <p>If you already have a key pair created with pgp and it’s registered on a <a href="https://keyserver.ubuntu.com">public keyserver</a>, then you can skip this step. If not, here’s how to generate and upload a key which is linked to you (via an email address).</p>

 <p>First, <a href="https://www.apache.org/dev/openpgp.html#generate-key">here’s the link</a> to the apache page which these instructions are derived from.</p>

 <p>Next, here’s one possible set of scripts that you can use to generate your key on a mac.</p>

 <p>Get gpg, the GNUpgp implementation.</p>
 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Installing gpg on a Mac</span>

 brew install gpg
 <span class="c"># Of course, this assumes you have brew.</span>
 </code></pre>
 </div>

 <p>Next, change the settings of <code class="highlighter-rouge">gpg</code> so that a strong security standard is the default. Of course, they may already be default, so you’ll want to check if your gpg.conf file specifies this.</p>

 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Appending some settings to ~/.gnupg/gpg.conf</span>

 <span class="nb">echo</span> <span class="s2">"personal-digest-preferences SHA512"</span> &gt;&gt; ~/.gnupg/gpg.conf
 <span class="nb">echo</span> <span class="s2">"cert-digest-algo SHA512"</span> &gt;&gt; ~/.gnupg/gpg.conf
 <span class="nb">echo</span> <span class="s2">"default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"</span> &gt;&gt; ~/.gnupg/gpg.conf
 </code></pre>
 </div>

 <p>Now you can generate a new key using the strong security settings. Note that you should accept the defaults, and non-expiring key option.</p>

 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Generating a public/private key pair</span>

 gpg --gen-key
 </code></pre>
 </div>

 <p>Once that’s done, you’ll want to <a href="https://www.apache.org/dev/release-signing.html#keyserver-upload">register your new public key</a> with a keyserver. This will make it easier for resistance operatives to help you take down tyrannical dictatorships. More generally, they help establish your identity but in no way guarantee it. You can have other people in the Apache web of trust sign your key so that it is more trusted.</p>

 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Finding the id of your new key</span>

 gpg --list-keys
 <span class="c"># pub   2048R/D64EA123 2017-01-17</span>
 <span class="c"># uid       [ultimate] Marc Spehlmann (EXAMPLE) &lt;ajmarc@cramja.com&gt;</span>
 <span class="c"># 'D64EA123' is the key's id</span>

 gpg --send-key D64EA123
 <span class="c"># there is also a keyserver option to choose which keyserver</span>
 gpg --keyserver keyserver.ubuntu.com --send-key D64EA123
 </code></pre>
 </div>

 <h2 id="exporting-your-key-to-keys">Exporting your key to KEYS</h2>

 <p>You’ll want to export the public key from the public/private key pair you are going to use to sign the release. We keep this in a KEYS file in the root directory of Quickstep, following the example of other Apache projects.</p>

 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Appending your public key to the KEYS file</span>

 <span class="nb">cd</span> ~/workspace/incubator-quickstep
 gpg --export --armor D64EA123 &gt;&gt; KEYS
 </code></pre>
 </div>

 <h2 id="signing-the-release-tarball">Signing the Release Tarball</h2>

 <p>We sign the release so that a downloader can verify that what they downloaded is identical to the object which you signed. This is for security.</p>

 <p>Checksums have the same effect, but are more generally to detect errors in transmission.</p>

 <div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Signing a release</span>

 gpg -u YOUR_APACHE_USER_NAME@apache.org --armor --output apache-quickstep-incubating-x.y.z.tar.gz.asc --detach-sign apache-quickstep-incubating-x.y.z.tar.gz

 <span class="c"># Make sure it worked</span>
 gpg --verify apache-quickstep-incubating-x.y.z.tar.gz.asc apache-quickstep-incubating-x.y.z.tar.gz

 <span class="c"># Make checksums</span>
 md5sum apache-quickstep-incubating-x.y.z.tar.gz &gt; apache-quickstep-incubating-x.y.z.tar.gz.md5
 sha1sum apache-quickstep-incubating-x.y.z.tar.gz &gt; apache-quickstep-incubating-x.y.z.tar.gz.sha

 <span class="c"># Make sure they worked</span>
 md5sum --check apache-quickstep-incubating-x.y.z.tar.gz.md5
 sha1sum --check apache-quickstep-incubating-x.y.z.tar.gz.sha

 </code></pre>
 </div>

   </div>


 </article>

       </div>
     </main>

     <footer class="site-footer">

   <div class="wrapper">

     <h2 class="footer-heading">Quickstep</h2>

     <div class="footer-col-wrapper">
       <div class="footer-col footer-col-1">
         <ul class="contact-list">
           <li>

               Quickstep

             </li>

             <li><a href="mailto:dev@quickstep.incubator.apache.org">dev@quickstep.incubator.apache.org</a></li>

         </ul>
       </div>

       <div class="footer-col footer-col-2">
         <ul class="social-media-list">

           <li>
             <a href="https://github.com/apache"><span class="icon icon--github"><svg viewBox="0 0 16 16" width="16px" height="16px"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>
 </span><span class="username">apache</span></a>

           </li>


         </ul>
       </div>

       <div class="footer-col footer-col-3">
         <p>Apache (incubating) Quickstep is a next-generation data processing platform.  Built from to ground up to take advantage of modern hardware, Quickstep is  designed for high-performance analytical queries.
 </p>
       </div>
     </div>

   </div>

 </footer>


   </body>

 </html>
	<!DOCTYPE html>
	<html lang="en">

	<head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1">

	<title>Release Signing</title>
	<meta name="description" content="Apache (incubating) Quickstep is a next-generation data processing platform. Built from to ground up to take advantage of modern hardware, Quickstep is desig...">

	<link rel="stylesheet" href="/assets/main.css">
	<link rel="canonical" href="http://localhost:4000/release-signing/">
	<link rel="alternate" type="application/rss+xml" title="Quickstep" href="/feed.xml">


	</head>


	<body>

	<header class="site-header" role="banner">

	<div class="wrapper">

	<a class="site-title" href="/">Quickstep</a>

	<nav class="site-nav">
	<span class="menu-icon">
	<svg viewBox="0 0 18 15" width="18px" height="15px">
	<path fill="#424242" d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.031C17.335,0,18,0.665,18,1.484L18,1.484z"/>
	<path fill="#424242" d="M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0c0-0.82,0.665-1.484,1.484-1.484 h15.031C17.335,6.031,18,6.696,18,7.516L18,7.516z"/>
	<path fill="#424242" d="M18,13.516C18,14.335,17.335,15,16.516,15H1.484C0.665,15,0,14.335,0,13.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.031C17.335,12.031,18,12.696,18,13.516L18,13.516z"/>
	</svg>
	</span>

	<div class="trigger">


	<a class="page-link" href="/about/">About</a>





	<a class="page-link" href="/release-signing/">Release Signing</a>








	</div>
	</nav>

	</div>

	</header>


	<main class="page-content" aria-label="Content">
	<div class="wrapper">
	<article class="post" itemscope itemtype="http://schema.org/BlogPosting">

	<header class="post-header">
	<h1 class="post-title" itemprop="name headline">Release Signing</h1>
	<p class="post-meta"><time datetime="2017-01-17T12:29:09-06:00" itemprop="datePublished">Jan 17, 2017</time> • <span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Marc</span></span></p>
	</header>

	<div class="post-content" itemprop="articleBody">
	<h1 id="who-needs-to-sign">Who Needs to Sign?</h1>

	<p>If you are a release manager, you will need to digitally sign the release tarball.</p>

	<h1 id="where-can-i-learn-more">Where can I learn more?</h1>

	<p>These instructions are derived from the <a href="https://www.apache.org/dev/release-signing.html">apache guide</a> on release signing. You’ll need to know how to do the steps presented in this guide if you are a release manager.</p>

	<ul>
	<li>
	<p>A good overview of why we sign is <a href="http://mirror-vm.apache.org/~henkp/trust/">here</a>. It explains the concept of <em>web of trust</em>.</p>
	</li>
	<li>
	<p>An excellent example of another Apache project’s release guide is <a href="https://cwiki.apache.org/confluence/display/IMPALA/DRAFT%3A+How+to+Release">here</a>.</p>
	</li>
	</ul>

	<h1 id="why-does-this-seem-so-complicated">Why does this seem so complicated?</h1>

	<p>Learning how to use public/private key crypto is not as simple as learning how to send an email. Granted, it’s also not as hard as learning c++, so there’s reason to be thankful.</p>

	<p>I think a large part of why this process seems complicated is that you must be familiar with a fairly technical concept and at the same time learn yet another command line tool. This meaning you’ll have to learn about asymetric cryptography as well as the tool which implements the algorithms, either pgp, gpg, or kpgp.</p>

	<p>Keep hope, and do please note that, as per the apache guide,</p>

	<blockquote>
	<p>Applied cryptography is a subject that has considerable depth. Luckily, it’s possible to get started signing releases without being an expert. Just remember that (from time to time) you will encounter situations that will require research and learning. Hopefully the <a href="https://www.apache.org/dev/release-signing.html#faq">FAQ</a> will be a reasonable first port of call.</p>
	</blockquote>

	<h1 id="how-do-i-sign-a-release">How do I sign a release?</h1>

	<h2 id="generate-a-key">Generate a key</h2>

	<p>If you already have a key pair created with pgp and it’s registered on a <a href="https://keyserver.ubuntu.com">public keyserver</a>, then you can skip this step. If not, here’s how to generate and upload a key which is linked to you (via an email address).</p>

	<p>First, <a href="https://www.apache.org/dev/openpgp.html#generate-key">here’s the link</a> to the apache page which these instructions are derived from.</p>

	<p>Next, here’s one possible set of scripts that you can use to generate your key on a mac.</p>

	<p>Get gpg, the GNUpgp implementation.</p>
	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Installing gpg on a Mac</span>

	brew install gpg
	<span class="c"># Of course, this assumes you have brew.</span>
	</code></pre>
	</div>

	<p>Next, change the settings of <code class="highlighter-rouge">gpg</code> so that a strong security standard is the default. Of course, they may already be default, so you’ll want to check if your gpg.conf file specifies this.</p>

	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Appending some settings to ~/.gnupg/gpg.conf</span>

	<span class="nb">echo</span> <span class="s2">"personal-digest-preferences SHA512"</span> >> ~/.gnupg/gpg.conf
	<span class="nb">echo</span> <span class="s2">"cert-digest-algo SHA512"</span> >> ~/.gnupg/gpg.conf
	<span class="nb">echo</span> <span class="s2">"default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"</span> >> ~/.gnupg/gpg.conf
	</code></pre>
	</div>

	<p>Now you can generate a new key using the strong security settings. Note that you should accept the defaults, and non-expiring key option.</p>

	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Generating a public/private key pair</span>

	gpg --gen-key
	</code></pre>
	</div>

	<p>Once that’s done, you’ll want to <a href="https://www.apache.org/dev/release-signing.html#keyserver-upload">register your new public key</a> with a keyserver. This will make it easier for resistance operatives to help you take down tyrannical dictatorships. More generally, they help establish your identity but in no way guarantee it. You can have other people in the Apache web of trust sign your key so that it is more trusted.</p>

	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Finding the id of your new key</span>

	gpg --list-keys
	<span class="c"># pub 2048R/D64EA123 2017-01-17</span>
	<span class="c"># uid [ultimate] Marc Spehlmann (EXAMPLE) <ajmarc@cramja.com></span>
	<span class="c"># 'D64EA123' is the key's id</span>

	gpg --send-key D64EA123
	<span class="c"># there is also a keyserver option to choose which keyserver</span>
	gpg --keyserver keyserver.ubuntu.com --send-key D64EA123
	</code></pre>
	</div>

	<h2 id="exporting-your-key-to-keys">Exporting your key to KEYS</h2>

	<p>You’ll want to export the public key from the public/private key pair you are going to use to sign the release. We keep this in a KEYS file in the root directory of Quickstep, following the example of other Apache projects.</p>

	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Appending your public key to the KEYS file</span>

	<span class="nb">cd</span> ~/workspace/incubator-quickstep
	gpg --export --armor D64EA123 >> KEYS
	</code></pre>
	</div>

	<h2 id="signing-the-release-tarball">Signing the Release Tarball</h2>

	<p>We sign the release so that a downloader can verify that what they downloaded is identical to the object which you signed. This is for security.</p>

	<p>Checksums have the same effect, but are more generally to detect errors in transmission.</p>

	<div class="language-sh highlighter-rouge"><pre class="highlight"><code><span class="c"># Signing a release</span>

	gpg -u YOUR_APACHE_USER_NAME@apache.org --armor --output apache-quickstep-incubating-x.y.z.tar.gz.asc --detach-sign apache-quickstep-incubating-x.y.z.tar.gz

	<span class="c"># Make sure it worked</span>
	gpg --verify apache-quickstep-incubating-x.y.z.tar.gz.asc apache-quickstep-incubating-x.y.z.tar.gz

	<span class="c"># Make checksums</span>
	md5sum apache-quickstep-incubating-x.y.z.tar.gz > apache-quickstep-incubating-x.y.z.tar.gz.md5
	sha1sum apache-quickstep-incubating-x.y.z.tar.gz > apache-quickstep-incubating-x.y.z.tar.gz.sha

	<span class="c"># Make sure they worked</span>
	md5sum --check apache-quickstep-incubating-x.y.z.tar.gz.md5
	sha1sum --check apache-quickstep-incubating-x.y.z.tar.gz.sha

	</code></pre>
	</div>

	</div>


	</article>

	</div>
	</main>

	<footer class="site-footer">

	<div class="wrapper">

	<h2 class="footer-heading">Quickstep</h2>

	<div class="footer-col-wrapper">
	<div class="footer-col footer-col-1">
	<ul class="contact-list">
	<li>

	Quickstep

	</li>

	<li><a href="mailto:dev@quickstep.incubator.apache.org">dev@quickstep.incubator.apache.org</a></li>

	</ul>
	</div>

	<div class="footer-col footer-col-2">
	<ul class="social-media-list">

	<li>
	<a href="https://github.com/apache"><span class="icon icon--github"><svg viewBox="0 0 16 16" width="16px" height="16px"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>
	</span><span class="username">apache</span></a>

	</li>



	</ul>
	</div>

	<div class="footer-col footer-col-3">
	<p>Apache (incubating) Quickstep is a next-generation data processing platform. Built from to ground up to take advantage of modern hardware, Quickstep is designed for high-performance analytical queries.
	</p>
	</div>
	</div>

	</div>

	</footer>


	</body>

	</html>