Currently all Release Managers have either MacOS or Linux workstations. The scripting/automation assumes one of these two platforms.
In addition to all the tools assumed to be installed for building OpenWhisk, you will also need the following packages installed:
You will need to fork this openwhisk-release repository and then clone your fork. Setup to use the same GitHub workflows you use for other OpenWhisk repositories to which you contribute.
The scripts/automation in this project assume a local clone and create/use working directories and staging areas within that clone.
Note: Staging areas are listed in the
.gitignorefor the repository to avoid accidental commits of generated artifacts.
The Apache distribution servers are managed by committing/removing files from project-specific directory trees in an svn repository.
You can run the script tools/checkout_svn.sh to create a local checkout of these repositories at the path expected by the rest of the scripts.
For example, run the script from within the root of your local clone of the openwhisk-release repository:
$ ./tools/checkout_svn.sh Checkout staging and release SVN to the working directory. Checked out revision 46582. A stagingArea/svn_staging/rc1 A stagingArea/svn_release/20.11 A stagingArea/svn_release/20.11/openwhisk-package-alarms-2.2.0-sources.tar.gz A stagingArea/svn_release/openwhisk-runtime-php-1.16.0-sources.tar.gz A stagingArea/svn_release/openwhisk-runtime-php-1.16.0-sources.tar.gz.asc ...
All release artifacts are accompanied by cryptographic signatures according to Apache release policy.
The ASF requires you to use a PGP key pair that:
RSA algorithm,username@apache.org email address as one of its associated identifiers,does not expire and4096 bits.See https://www.apache.org/dev/release-signing.html for a full explanation and list of technical requirements.
The following command will prompt you for to supply all the values needed by the ASF and override defaults:
$ gpg --full-gen-key
Note: You do not need to supply a
commentas part of the signature.
The KEYS file is a plain-text file containing the public key signatures of the release managers (and optionally other committers) for the project.
Each signature in the KEYS file is comprised of the key's signature followed by the ASCII-armored, exported copy of it.
Only a PMC member can commit changes to the KEYS file
Once you have your PGP key pair, append your public key to our KEYS file in your local svn clone and commit the change.
The KEYS file is append only. Once a key has been used to sign a release it cannot be removed from the KEYS file.
The commands to export your key and append it (depending on your PGP client) can be found at the very top of the KEYS file itself, and are also replicated below:
Steps for PMC member to amend KEYS file
# checkout svn repo if necessary ./tools/checkout_svn.sh # amend KEYS file./stagingArea/svn_release/KEYS cd ./stagingArea/svn_release vi KEYS # or whatever editor you prefer # sanity check your changes svn diff # commit svn commit KEYS
Apache recommends GNU Privacy Guard (GnuPG), an open-source, OpenPGP compatible implementation.
You can show your key's signature with this command:
$ gpg --list-sigs <your name>
where <your name> is the one entered when generating the key.
In order to submit your public key to a public key server, you first have to produce an ASCII-armored copy of it:
$ gpg --armor --export <your name>
Append both your key's signature and ASCII-armored public key to the KEYS file:
(gpg --list-sigs <your name> && gpg --armor --export <your name>) >> KEYS
In recent releases of GnuPG, the
gpgandgpg2commands utilize the same code and should be viewed as equivalent in any legacy instructions.
You can show your key's fingerprint (i.e., signature) with this command:
$ pgpk -ll
In order to submit your public key to a public key server, you first have to produce an ASCII-armored copy of it:
pgpk -xa smith
Append both your key's fingerprint and ASCII-armored public key to the KEYS file:
(pgpk -ll <your name> && pgpk -xa <your name>) >> KEYS
pgp -kxa <your name> # and append it to KEYS file manually