...
The project MUST cryptographically sign releases of the project results intended for widespread use, and there MUST be a documented process explaining to users how they can obtain the public signing keys and verify the signature(s). The private key for these signature(s) MUST NOT be on site(s) used to directly distribute the software to the public.
Beijing ONAP Signing Process
All Nexus 2 Maven ONAP artifacts are signed using the following process.
- When a the PTL determines that an artifact is ready to sign, The PTL emails the LF helpdesk with the name of the Nexus 2 Maven artifact to be signed
- The LF helpdesk downloads the artifact from the staging repository, signs the artifact using the LF private key stored on a USB, and pushes the signed artifact to the release repository.
Nexus 3 Maven artifacts, Docker containers, are produced by ONAP, but there is currently no signing process for these artifacts. The LF is working on signing Nexus 3 Maven artifacts.
OpenDaylight (ODL) Signing Process
In the OpenDaylight project, project artifacts are signed by a release engineer. The release process is described here:
...