ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <adam....@cyberspaceroad.com>
Subject pgp signature
Date Wed, 11 Feb 2004 16:56:53 GMT
This is basically a newbie question about verify the downloads from 
Apache. I just checked the archives for 'ultimately trusted' and 'verify 
signature' but didn't find anything.

I just did this for the first time (I'm the proud new owner of a 
webserver so I've stepped my security awareness up a bit).

I got the following output:

[adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID 
265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) 
<antoine@apache.org>"
gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer) 
<antoine@antbuild.com>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63


Does this mean that it failed? I got it from the German mirror.  Or is 
the trustdb something I should update on my system? Obviously I 
recognise Antoine's name :)

I am also not sure about this mechanism - does gpg know to check the 
downloaded file because it has the same name as the *.asc file?

Adam
-- 
ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message