ASF committers can add key fingerprints to their LDAP record using the SelfServe or Whimsy web application.
Only the fingerprints are stored in the LDAP record.
The corresponding keys must be uploaded to a public key server.

Committer public key files

The files in the Committer keys directory are autogenerated once a day from LDAP records and grouped by ASF id.
(The public keys are downloaded from a public key server using the fingerprints from LDAP)
Note that LDAP currently contains some entries which are the short key id (8 hex chars) rather than the full fingerprint (40 chars).
These key id entries are ignored because they are not guaranteed unique; and it has been shown that they can be spoofed.
If your key does not appear in your .asc file, check that the whole fingerprint is present.
Also check that there are no leading or trailing spaces (embedded spaces are OK) because LDAP encodes these (and some other apps may not be able to decode them)

Project public key files

Project group files are no longer created. They are not suitable for use as KEYS files for authenticating releases
This is because:

• The KEYS files must be stored in the ASF mirror directories. This ensures that they are archived along with the releases to which they apply.
• The KEYS file are needed to check signatures of archived releases. Thus keys should only ever be added to the KEYS file, and never normally removed. Now the LDAP group for a project will change over time, and a committer who signed one or more releases may no longer be in the group. Also if a project moves to the Attic, its LDAP group will be removed.

Individual committer key details can be copied from the committer or group files into the project KEYS file.
To keep the KEYS file manageable, it's recommended to only add the keys of committers who have signed releases.