commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rahul Akolkar <rahul.akol...@gmail.com>
Subject Re: [releasing] PGP keys for code signing
Date Wed, 06 May 2009 16:03:55 GMT
On Wed, May 6, 2009 at 10:43 AM, Craig L Russell <Craig.Russell@sun.com> wrote:
> Much better!
>
<snip/>
> [CraigRussell:~/Downloads] clr% gpg --verify
> commons-chain-1.2-bin.tar.gz.asc
> gpg: Signature made Tue May  5 22:13:09 2009 PDT using DSA key ID 42196CA8
> gpg: Good signature from "Christian Grobmeier (Apache Codesigning)
> <grobmeier@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 9D23 5338 96A9 7847 0358  5B62 86E0 2C5A 4219 6CA8
>
> I'd vote for this signature being valid to sign releases. Only incubator
> releases right now, since it hasn't been signed by the Apache WOT. That can
> be fixed at a Sign-a-Thon. ;-)
>
<snap/>

I'd vote for Apache Commons releases signed by any key thats in the
KEYS file (regardless of WOT status -- keysigning would be good and is
encouraged, but isn't a blocker).

-Rahul


> Craig
>
> On May 5, 2009, at 11:35 PM, Christian Grobmeier wrote:
>
>>> gpg: Can't check signature: public key not found
>>> [CraigRussell:~/Downloads] clr% gpg --recv-keys 42196CA8
>>> gpg: requesting key 42196CA8 from hkp server subkeys.pgp.net
>>> gpgkeys: key 42196CA8 not found on keyserver
>>
>> Thanks, i sent it to several keyservers now :-)
>> Can you try again?
>>
>> Christian
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message