[Release] Use release/KEYS not dev/KEYS in verification

[kou]

Describe the enhancement requested

Our verification script uses
https://dist.apache.org/repos/dist/dev/arrow/KEYS not
https://dist.apache.org/repos/dist/release/arrow/KEYS :

arrow/dev/release/verify-release-candidate.sh

Lines 103 to 122 in 45f562a

	ARROW_DIST_URL='https://dist.apache.org/repos/dist/dev/arrow'
	download_dist_file() {
	curl \
	--silent \
	--show-error \
	--fail \
	--location \
	--remote-name $ARROW_DIST_URL/$1
	}
	download_rc_file() {
	download_dist_file apache-arrow-${VERSION}-rc${RC_NUMBER}/$1
	}
	import_gpg_keys() {
	if [ "${GPGKEYS_ALREADY_IMPORTED:-0}" -gt 0 ]; then
	return 0
	fi
	download_dist_file KEYS

There is not a big problem here because we synchronized them. (They have the same content.)

But we should use the release/ version:

• Users use the release/ version not dev/ version when they verify our artifacts' signature
• https://dist.apache.org/ may reject our request when we request many times by CI

So https://www.apache.org/dyn/closer.lua?action=download&filename=arrow/KEYS is better than https://dist.apache.org/repos/dist/dev/arrow/KEYS .

Component(s)

Release

[raulcd]

Should we consolidate on a single file https://dist.apache.org/repos/dist/release/arrow/KEYS and remove https://dist.apache.org/repos/dist/dev/arrow/KEYS ?

Other projects like iceberg or ORC have a single KEYS file under release but not on dev.

[kou]

Oh, really!?

https://infra.apache.org/release-signing.html#keys-policy doesn't mention .../dist/dev/XXX/KEYS...

Let's remove https://dist.apache.org/repos/dist/dev/arrow/KEYS .

[raulcd]

Issue resolved by pull request 47182
#47182