ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject pgp signature
Date Wed, 11 Feb 2004 16:56:53 GMT
This is basically a newbie question about verify the downloads from 
Apache. I just checked the archives for 'ultimately trusted' and 'verify 
signature' but didn't find anything.

I just did this for the first time (I'm the proud new owner of a 
webserver so I've stepped my security awareness up a bit).

I got the following output:

[adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc
gpg: WARNING: using insecure memory!
gpg: please see for more information
gpg: Signature made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID 
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) 
gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer) 
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63

Does this mean that it failed? I got it from the German mirror.  Or is 
the trustdb something I should update on my system? Obviously I 
recognise Antoine's name :)

I am also not sure about this mechanism - does gpg know to check the 
downloaded file because it has the same name as the *.asc file?

ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message