Introduction
Before a release You need to publish your Public GPG Keys in several place used by different tools for verifying release signatures.
All Your historical Public Keys should be available for verifying historical releases, so please don't remove any key used sometime.
All new RSA keys generated should be at least 4096 bits. Do not generate new DSA keys.
Maven Project Keys
Public Keys used for signing Maven core, plugins and shared components are available for users at:
https://downloads.apache.org/maven/KEYS
You need edit a file and follow provided instructions in SVN at:
https://svn.apache.org/repos/asf/maven/project/KEYS
General ASF instruction
Distributing Your Public Keys
Your Public Keys MUST be available at public key server, you can use one or even all of currently common used key server
Committer public key files
You should also add Your Public Keys to ASF Committer public key files
Please follow instructions at: https://people.apache.org/keys
Generate a new key
Please follow ASF infrastructure instruction: