Skip to content

GPG Key Setup

Dianjin Wang edited this page Jul 10, 2026 · 7 revisions

Install GPG

GPG is installed in most Linux distributions by default. For macOS, you can install GPG with Homebrew:

brew install gnupg

View the GPG version info:

gpadmim@ubuntu:$ gpg --version
gpg (GnuPG) 2.4.4
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/gpadmin/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Generate GPG Key

Run gpg --full-gen-key to generate a strong GPG key:

gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1 # input 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 # input 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0  # input 0
Key does not expire at all
Is this correct? (y/N) y # input y

GnuPG needs to construct a user ID to identify your key.

Real name: FOO FOO                # input your name
Email address: foo@apache.org     # input your Apache email
Comment:                          # input some annotations, optional
You selected this USER-ID:
    "FOO <foo@apache.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O  # input O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.


# Input the security key
┌──────────────────────────────────────────────────────┐
│ Please enter this passphrase                         │
│                                                      │
│ Passphrase: _______________________________          │
│                                                      │
│       <OK>                              <Cancel>     │
└──────────────────────────────────────────────────────┘

# key generation will be done after your inputting the key with the following output
gpg: key E49B00F626B marked as ultimately trusted
gpg: revocation certificate stored as '/Users/foo/.gnupg/openpgp-revocs.d/F77B887A4F25A9468C513E9AA3008E49B00F626B.rev'
public and secret key created and signed.

pub   rsa4096 2022-07-12 [SC]
      F77B887A4F25A9468C513E9AA3008E49B00F626B
uid           [ultimate] Foo <foo@apache.org>
sub   rsa4096 2022-07-12 [E]

List the key

gpg --list-keys

Expected output:

-------------------------------
pub   rsa4096 2022-07-12 [SC]
      F77B887A4F25A9468C513E9AA3008E49B00F626B
uid           [ultimate] foo <foo@apache.org>
sub   rsa4096 2022-07-12 [E]

Upload the key to key server:

gpg --keyserver keyserver.ubuntu.com --send-key <key-id> # e.g., F77B887A4F25A9468C513E9AA3008E49B00F626B

Check whether the key is created successfully

Uploading takes about one minute; after that, you can check your email at the corresponding keyserver. E.g., you can open the URL https://keyserver.ubuntu.com/ in your browser and search your email.

Add your GPG public key to the project KEYS file

Releases are managed through an SVN repository. There are two locations where releases can be committed dev and release. Prior to voting a release is staged in the dev folder (dist/dev/incubator/cloudberry) after a release is approved by the IPMC it is then moved to the release location (dist/release/incubator/cloudberry) and committed for distribution. The release folder also holds the GPG public keys that are used for signing release in a KEYS file.

  • dev folder for release candidates: https://dist.apache.org/repos/dist/dev/incubator/cloudberry
  • release folder for approved release: https://dist.apache.org/repos/dist/release/incubator/cloudberry

Please add the public key to KEYS in the release branch:

# Checkout the distribution SVN repositories
svn co https://dist.apache.org/repos/dist/release/incubator/cloudberry cloudberry-release

# Change to the ditectory
cd cloudberry-release

# Add your key to the KEYS file
(gpg --list-sigs YOURNAME@apache.org && gpg --export --armor YOURNAME@apache.org) >> KEYS

# Verify your key is in the file
cat KEYS | gpg --import-options show-only

# Commit your key
svn commit -m "add gpg key for YOURNAME"  # Maybe you are asked to enter your apache username and password

Clone this wiki locally