Introduction

Before a release You need to publish your Public GPG Keys in several place used by different tools for verifying release signatures.

All Your historical Public Keys should be available for verifying historical releases, so please don't remove any key used sometime.

All new RSA keys generated should be at least 4096 bits. Do not generate new DSA keys.

Maven Project Keys

Public Keys used for signing Maven core, plugins and shared components are available for users at:
https://downloads.apache.org/maven/KEYS

You need edit a file and follow provided instructions in SVN at:
https://svn.apache.org/repos/asf/maven/project/KEYS

General ASF instruction

Distributing Your Public Keys

Your Public Keys MUST be available at public key server, you can use one or even all of currently common used key server

Committer public key files

You should also add Your Public Keys to ASF Committer public key files

Please follow instructions at: https://people.apache.org/keys

Generate a new key

Please follow ASF infrastructure instruction: