brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <rich...@apache.org>
Subject Re: [DISCUSS][VOTE] Release Apache Brooklyn 0.10.0 [rc1]
Date Tue, 06 Dec 2016 11:30:34 GMT
Aled,

On 6 December 2016 at 11:20, Aled Sage <aled.sage@gmail.com> wrote:

>
> *gpg: WARNING: This key is not certified with a trusted signature* Do we
> need to worry about that? Do I need to import more keys into my chain of
> trust?
> (Note that the script had previously executed `curl
> https://dist.apache.org/repos/dist/release/brooklyn/KEYS | gpg --import`).
>

GPG is simply telling you that the "trusted" bit is not set on the copy of
Svet's key *that is in your keyring*. The key has been imported (so you
don't need to import anything else) but by default GPG won't trust the key.
You can tell GPG that you do trust that key really does belong to Svet and
then the warning would go away. (Ideally you would use some "real world"
verification before telling GPG to trust the key.)

Of course, my description is a gross oversimplification of the "web of
trust" system.

So this is not a problem with the release process, artifacts or Svet's key
- merely the way your own GPG is configured.

Richard.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message