commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [releasing] PGP keys for code signing
Date Wed, 06 May 2009 10:57:19 GMT
On 06/05/2009, Christian Grobmeier <grobmeier@gmail.com> wrote:
> > Can you upload the public key?
>
>
> http://people.apache.org/~grobmeier/test/grobmeier-codesigning.pub
>

Thanks, that has allowed me to check the signature. Validates OK.

However I was unable to download the key from a keyserver - maybe
there was a problem with the server I was using.

>  > It will need to be added to KEYS at some point if you are to use it.
>
>
> Yes. I didn't understood when a key is beeing considered "trusted" at apache.

See:

http://www.apache.org/dev/release-signing.html

In theory, all ASF keys should be connected in a web of trust, however
that is not the case.

But at least if your key is in the KEYS file it shows that it was
trusted by the person updating the file, and that person must have had
commit access.

>  Meanwhile I think there is not such a policy. However, key should work
>  now for most key servers and is now signed by CACert and by another
>  guy.
>
>  If I need more actions... pleae let me know. Otherwise I will commit
>  it to our keys file in the next days.
>
>  Cheers + thanks,
>
> Christian
>
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>  For additional commands, e-mail: dev-help@commons.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message