Sign the artifacts

Each package needs to be accompanied by cryptographic signatures according to Apache release policy.

Generate the PGP key pair

You can either follow the online PGP instruction to generate the PGP key for your environment, or use our script to generate for you. First, you need to config pgp_key_gen.conf under the folder tools. Make sure you have the proper Name-Real, Name-Comment, Name-Email, and Passphrase for your key. You do not need to change Key-Type, Key-Length, and Expire-Date. Run the following script under the folder tools:

$ ./generate_pgp_key.sh

The configuration to generate PGP key pair needs to be associated with an identity. We use the following fields to define the identity:

• Name-Real: the field to specify the name of the key with the default value OpenWhisk Release Bot.
• Name-Comment: the field to specify the description of the key.
• Name-Email: the field to specify the email address of the key.
• Passphrase: the field to specify the passphrase of the key.
• Key-Type: the field to specify the type of the key. The default value is RSA.
• Key-Length: the field to specify the length of the key. The default value is 4096.
• Expire-Date: the field to specify the expiration date of the key. The default value is 0, meaning the key will never expire.

Sign the artifacts:

All the artifacts can be signed by running the following script under tools:

$ ./sign_artifacts.sh <SVN_USERNAME> <SVN_PASSWORD>

If you have configured your local SVN with the username and the password, you can run the above script without the parameters.

This script generates a file of the SHA512 checksum suffixed with .sha512, and a signature file suffixed with .asc for each package.