corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: [DISCUSS][PRE-VOTE] Release candidate 0.1
Date Fri, 14 Aug 2015 17:34:40 GMT
I think it looks good to you because you signed it and you have the public key.

I obviously do not have the public key of the signer.

Furthermore, nowhere am I told that I need yours.  I am reviewing this as someone who is not
on the project.  Somewhere, it must be specified what public key is needed and how to obtain
it from a safe place.  That is what I am asking for.  

What is the information that an outsider needs in order to know who is the release manager/signer
is and how to find an authentic public key for that committer?

When that information is provided, I can proceed with any review of the source zip.

Thanks,

 - Dennis

-----Original Message-----
From: jan i [mailto:jani@apache.org] 
Sent: Friday, August 14, 2015 09:47
To: jan i <jani@apache.org>
Cc: dev@corinthia.incubator.apache.org; dennis.hamilton@acm.org
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

you never know, so I went on and tested on my azura vm:


C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
.\incubator-corinthia_release_0.1.zip.asc
gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
gpg: Good signature from "jan iversen <jancasacondor@gmail.com>"

Could it be a setup problem on your side ?

rgds
jan I.


On 14 August 2015 at 18:44, jan i <jani@apache.org> wrote:

>
>
> On Friday, August 14, 2015, Dennis E. Hamilton <dennis.hamilton@acm.org>
> wrote:
>
>> Please provide an authoritative ASF location of the public key to use for
>> checking the signature.  It would be something like a continuously verified
>> key on this list: <https://people.apache.org/keys/committer/>.  (This
>> establishes both the name of the ASF committer who possesses the signature
>> and that the key has not been revoked.)
>
>
> ????? if you look there you will see my key.
>
> This is done automatically when you add your key to id.a.o
>
>
>
>>
>> How will that be made known to reviewers and downloaders of the Release
>> Candidate?
>
> well people.a.o/keys/committer is the official place, my key is
> furthermore uploaded on a couple of key servers.
>
> rgds
> jan i
>
>>
>>  - Dennis
>>
>> ----- Failure Output -----
>> Microsoft Windows [Version 10.0.10240]
>> (c) 2015 Microsoft Corporation. All rights reserved.
>>
>> C:\Program Files (x86)\GNU\GnuPG>gpg2
>> d:\Apache\corinthia\rc\incubator-corinthia
>> _release_0.1.zip.asc
>> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA key
>> ID 577
>> E7412
>> gpg: Can't check signature: No public key
>>
>> C:\Program Files (x86)\GNU\GnuPG>
>>
>>
>>
>>
>
> --
> Sent from My iPad, sorry for any misspellings.
>


Mime
View raw message