Skip to content

docs(release): prefer keys.openpgp.org over keyserver.ubuntu.com#2984

Merged
bjagg merged 3 commits into
uPortal-Project:masterfrom
bjagg:docs/release-keyserver-update
May 13, 2026
Merged

docs(release): prefer keys.openpgp.org over keyserver.ubuntu.com#2984
bjagg merged 3 commits into
uPortal-Project:masterfrom
bjagg:docs/release-keyserver-update

Conversation

@bjagg

@bjagg bjagg commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Bring the keyserver step in docs/developer/other/RELEASE.md in line with the Maven portlet release guide, which the 2026 portlet release cycle confirmed as the working sequence
  • Replace the single `keyserver.ubuntu.com` line with `keys.openpgp.org`-first instructions, the email-confirmation caveat, the optional Ubuntu redundancy, the SKS pool deprecation note, and a per-session verification curl

Why

The Central Publisher Portal queries `keys.openpgp.org` first when validating signatures. A key that's only on `keyserver.ubuntu.com` fails signature validation non-deterministically — sometimes the first release in a session works because of caching, then a subsequent one in the same session fails. The Maven ecosystem release guide had already been corrected during the 2026 portlet release cycle; this PR closes the drift between the two guides so operators only set up their key once and have it work for both Gradle and Maven publishing.

Test plan

  • Render `docs/developer/other/RELEASE.md` on GitHub and confirm the new `keys.openpgp.org` instructions, curl verification snippet, and cross-link to the Maven guide all display correctly
  • Visually compare against the equivalent section in `uportal-project.github.io/manuals/en/uportal5-manual/developer/maven-release-process.md` to confirm the two guides now use the same language

bjagg added 3 commits May 13, 2026 12:30
@bjagg
[Gradle Release Plugin] - pre tag commit: 'v5.17.7'.
bc7478b
@bjagg
[Gradle Release Plugin] - new version commit: 'v5.17.8-SNAPSHOT'.
779040f
@bjagg
docs(release): prefer keys.openpgp.org over keyserver.ubuntu.com
4b9551b 
Problem: the prerequisites step instructed publishing the signing key
only to keyserver.ubuntu.com. The Central Publisher Portal queries
keys.openpgp.org first; a key on Ubuntu alone can fail signature
validation non-deterministically. The Maven ecosystem release guide
already corrected this during the 2026 portlet release cycle but the
uPortal Gradle guide had drifted out of sync.

Goal: bring the uPortal release guide's keyserver instructions in line
with the Maven ecosystem guide so operators set up their key once and
have it work for both Gradle and Maven publishing.

Changes:
- replace the single keyserver.ubuntu.com line in prerequisite #4 with
  the keys.openpgp.org-first instructions used by the Maven guide,
  including the email-confirmation caveat for identity packets, the
  optional ubuntu redundancy, the sks-keyservers note, and a per-session
  curl verification snippet
@bjagg bjagg merged commit 1baf453 into uPortal-Project:master May 13, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bjagg