ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: pgp signature
Date Wed, 11 Feb 2004 20:12:04 GMT
'Ultimately'? That's extreme, isn't it? Surely there are levels of
trust? In this case, at the level of trust sufficient to be sure that
the downloaded ant tarball really is from Antoine Levy-Lambert.

Or should I just be using one of the other options to verify that the 
tarball hasn't changed since it was installed at apache?

On 02/11/2004 06:47 PM Anderson, Rob (Global Trade) wrote:
> The trust is assigned by you. If you want to assign trust to a
> person's key, you should know that person and verify the fingerprint
> of the key with them personally (either face to face, or over the
> phone). GPG allows you to build a "Web of Trust", so that if you
> trust me ultimately, and I trust "Antoine Levy-Lambert" ultimately,
> then you trust "Antoine Levy-Lambert". Since you have not built this
> "Web of Trust" GPG is complaining that even though the signature is
> verified agianst the file, the key used the verify the signature has
> not been assigned trust, and therefore, the key could be forged since
> you have not verified the fingerprint with "Antoine Levy-Lambert".
> And if the key is forged, then the signature is meaningless, right.
> I hope I have not confused you :)
> -Rob Anderson
>> -----Original Message----- From: Adam Hardy
>> [] Sent: Wednesday, February 11,
>> 2004 8:57 AM To: Subject: pgp signature
>> This is basically a newbie question about verify the downloads from
>>  Apache. I just checked the archives for 'ultimately trusted' and
>> 'verify signature' but didn't find anything.
>> I just did this for the first time (I'm the proud new owner of a 
>> webserver so I've stepped my security awareness up a bit).
>> I got the following output:
>> [adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc 
>> gpg: WARNING: using insecure memory! gpg: please see
>> for more information gpg: Signature
>> made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID 265B4C63 gpg:
>> Good signature from "Antoine Levy-Lambert (Apache Ant Committer) 
>> <>" gpg:                 aka "Antoine
>> Levy-Lambert (Apache Ant Committer) <>" gpg:
>> checking the trustdb gpg: no ultimately trusted keys found gpg:
>> WARNING: This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner. 
>> Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB
>> 265B 4C63
>> Does this mean that it failed? I got it from the German mirror.  Or
>> is the trustdb something I should update on my system? Obviously I
>>  recognise Antoine's name :)
>> I am also not sure about this mechanism - does gpg know to check
>> the downloaded file because it has the same name as the *.asc file?
>> Adam -- ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian
>> ---------------------------------------------------------------------
>>  To unsubscribe, e-mail: For
>> additional commands, e-mail:
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: For
> additional commands, e-mail:

ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message