Preparing to be a Release Manager

Platform and Prerequisites

Currently all Release Managers have either MacOS or Linux workstations. The scripting/automation assumes one of these two platforms.

In addition to all the tools assumed to be installed for building OpenWhisk, you will also need the following packages installed:

  • Subversion (svn) - client for Apache's source code management system
  • GnuPG (gpg) or an OpenPGP-compatible equivalent - for generating and managing signing keys and sign release artifacts
  • jq (jq) - a lightweight JSON processor
  • expect - automates release scripts that expect user input

Clone this repository

You will need to fork this openwhisk-release repository and then clone your fork. Setup to use the same GitHub workflows you use for other OpenWhisk repositories to which you contribute.

The scripts/automation in this project assume a local clone and create/use working directories and staging areas within that clone.

Note: Staging areas are listed in the .gitignore for the repository to avoid accidental commits of generated artifacts.

Get a local svn checkout of our distribution directories

The Apache distribution servers are managed by committing/removing files from project-specific directory trees in an svn repository.

You can run the script tools/ to create a local checkout of these repositories at the path expected by the rest of the scripts.

For example, run the script from within the root of your local clone of the openwhisk-release repository:

$ ./tools/

Checkout staging and release SVN to the working directory.
Checked out revision 46582.
A    stagingArea/svn_staging/rc1
A    stagingArea/svn_release/20.11
A    stagingArea/svn_release/20.11/openwhisk-package-alarms-2.2.0-sources.tar.gz
A    stagingArea/svn_release/openwhisk-runtime-php-1.16.0-sources.tar.gz
A    stagingArea/svn_release/openwhisk-runtime-php-1.16.0-sources.tar.gz.asc

Signing Keys

All release artifacts are accompanied by cryptographic signatures according to Apache release policy.

The ASF requires you to use a PGP key pair that:

  • uses the RSA algorithm,
  • has your email address as one of its associated identifiers,
  • does not expire and
  • has the recommended key length of 4096 bits.

See for a full explanation and list of technical requirements.

Create a PGP key pair

GPG Example

The following command will prompt you for to supply all the values needed by the ASF and override defaults:

$ gpg --full-gen-key

Note: You do not need to supply a comment as part of the signature.

Publish your public key to the project KEYS file

The KEYS file is a plain-text file containing the public key signatures of the release managers (and optionally other committers) for the project.

Each signature in the KEYS file is comprised of the key's signature followed by the ASCII-armored, exported copy of it.

Only a PMC member can commit changes to the KEYS file

Once you have your PGP key pair, append your public key to our KEYS file in your local svn clone and commit the change.

The KEYS file is append only. Once a key has been used to sign a release it cannot be removed from the KEYS file.

The commands to export your key and append it (depending on your PGP client) can be found at the very top of the KEYS file itself, and are also replicated below:

Steps for PMC member to amend KEYS file

# checkout svn repo if necessary

# amend KEYS file./stagingArea/svn_release/KEYS
cd ./stagingArea/svn_release
vi KEYS # or whatever editor you prefer

# sanity check your changes
svn diff

# commit
svn commit KEYS

GPG Example (recommended)

Apache recommends GNU Privacy Guard (GnuPG), an open-source, OpenPGP compatible implementation.

You can show your key's signature with this command:

$ gpg --list-sigs <your name>

where <your name> is the one entered when generating the key.

In order to submit your public key to a public key server, you first have to produce an ASCII-armored copy of it:

$ gpg --armor --export <your name>

Append both your key's signature and ASCII-armored public key to the KEYS file:

(gpg --list-sigs <your name> && gpg --armor --export <your name>) >> KEYS

In recent releases of GnuPG, the gpg and gpg2 commands utilize the same code and should be viewed as equivalent in any legacy instructions.

PGPK Example

You can show your key's fingerprint (i.e., signature) with this command:

$ pgpk -ll

In order to submit your public key to a public key server, you first have to produce an ASCII-armored copy of it:

pgpk -xa smith

Append both your key's fingerprint and ASCII-armored public key to the KEYS file:

(pgpk -ll <your name> && pgpk -xa <your name>) >> KEYS

PGP Example

pgp -kxa <your name> # and append it to KEYS file manually