This is a proof-of-concept platform undergoing development and testing. No official releases are currently distributed through this website!

Management of Signing Key lists for projects

Introduction

Each ASF project (PMCs and PPMCs) operates with a published list of PGP keys it has used to sign release artifacts.

Any key used to sign an artifact meant for release as an official ASF release MUST be present in the project's signing key list before the project promotes the artifact as an official release. If the key is not present, the platform will not allow the artifact(s) to be promoted.

These lists are upsert-only, meaning you can only add keys or update existing ones. By design, once a key is present in a key list, you can update it (e.g. adding a new UID or expiry to the key), but you cannot remove it. If your project needs to remove a key for whatever reason, contact the Infrastructure team at private@infra.apache.org with your request.

The key lists (and general release management settings) are stored externally in the infrastructure-artifacts-configuration repository, along with their revision history.

Important notice about legacy KEYS files

The original (legacy) KEYS files that were in place before the switch to ADP have been preserved as KEYS.legacy in each project's root release directory. We have not imported legacy keys: release managers must re-upload their public keys if they wish to release new artifacts using a legacy key.

Key management for release managers

Adding a key to your project

To add a signing key to a project's key list, navigate to artifacts.apache.org/keys.html and select the project you wish to add a key to. Paste your ASCII-armored public key into the key input textarea, and click the "Validate key block" button to begin the process of vetting the key. If validation is successful, submit your key to the signing key list by clicking the Submit to key list button.

The system adds your key to your project's signing key list. Note that any meta-data or comments you may have in your original PGP block will be removed and replaced with a standardized meta-data block defined by the platform, in order to harmonize key information across the Foundation.

Updating an existing key

To update an existing key, perform the same steps as when adding a key, and your updated key data will be woven into the existing key list, along with a note about the specific changes, such as UIDs added or removed by this update.

Removing an existing key

Only the Infrastructure team can remove keys from the signing key list. To have a key removed, contact the team at: private@infra.apache.org.

Notification on key management actions

Any action you perform on the signing key list of a project generates a notification to the project's private@ list about the signing key list update, including a summary of the changes.

Key retrieval/viewing options

Keys can be retrieved from the artifact distribution mirrors in each project's root directory, as well as on a per-release basis in the specific artifact release directory. The root directory holds a complete and current list of the signing keys, and each artifact has an individual .keys file containing the key used to sign that specific artifact, as it appeared in the public list when the artifact was promoted to an official release.

You can retrieve the complete list in either plain-text format or as a JSON representation of the meta-data associated with the keys. The URLs for these files follow the format https://artifacts.apache.org/keys/$project.$ext, for instance: