commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <robertburrelldon...@blueyonder.co.uk>
Subject Re: [general] signing releases.
Date Wed, 14 Jul 2004 21:34:45 GMT
each person decides which keys they trust. when you encounter a 
signature from a key that isn't within your key of trust, there's a 
warning. the main purpose is to prevent confusion between a trusted key 
(that you've already marked thus) and a signature from another 
untrusted key with the similar details. it is very easy to decide to 
trust another key. if you do so before you verify the signature, you'll 
get the ok message instead.

what i do is have a code signing user with a code signing key who does 
the signing. i make sure that i have very high verification standards 
(face-to-face) for that key ring (since when the key is uploaded to the 
ASF server, the trust web goes as well). for verification, i use a user 
who key ring has a load of apache code signing keys on (including my 
own) which i've marked as trusted. so, when i verify the signature, i 
get a pleasant message.

- robert

On 14 Jul 2004, at 21:31, Stephen Colebourne wrote:

> Yes, its what everyone else is doing ;-)
> Stephen
>
> ----- Original Message -----
> From: "Gary Gregory" <ggregory@seagullsoftware.com>
> Hm, should I proceed with codec 1.3 "signing" and releasing then?
> Signing in quotes since my key is unconfirmed.
>
> Gary
>
>> -----Original Message-----
>> From: robert burrell donkin
> [mailto:robertburrelldonkin@blueyonder.co.uk]
>> Sent: Wednesday, July 14, 2004 12:12
>> To: Jakarta Commons Developers List
>> Subject: Re: [general] signing releases.
>>
>> On 14 Jul 2004, at 08:53, Stephen Colebourne wrote:
>>
>>> I believe this means that your key is unconfirmed. The system
> appears
>>> to be
>>> that you need somebody who knows you and has a confirmed key to be
>>> able to
>>> confirm your key. ie. its a 'web of trust', with each confirmed key
>>> proven
>>> by somebody else. My key isn't confirmed either. Al IIRC.
>>
>> +1
>>
>> i've had to answer this one a few times for users who've emailed me
>> directly. we're in the process of reviewing the jakarta download pages
>> and maybe there'd be a good argument for adding some documentation
>> somewhere.
>>
>> i thought that has crossed my mind is that maybe the commons could
> lead
>> the way by having a page containing fingerprints for our code signing
>> keys.
>>
>> - robert
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message