corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <j...@apache.org>
Subject Re: [DISCUSS][PRE-VOTE] Release candidate 0.1
Date Fri, 14 Aug 2015 17:40:53 GMT
On 14 August 2015 at 19:34, Dennis E. Hamilton <dennis.hamilton@acm.org>
wrote:

> I think it looks good to you because you signed it and you have the public
> key.
>
> I obviously do not have the public key of the signer.
>
well you need to add that to your own keyring.

you can do that by using:
gpg --keyserver hkp://keys.gnupg.net --recv-keys CB94DE73
or downloading jani.asc and importing it.


>
> Furthermore, nowhere am I told that I need yours.  I am reviewing this as
> someone who is not on the project.  Somewhere, it must be specified what
> public key is needed and how to obtain it from a safe place.  That is what
> I am asking for.
>
you could read about how gpg works, that is not something we should
document.

>
> What is the information that an outsider needs in order to know who is the
> release manager/signer is and how to find an authentic public key for that
> committer?
>
> When that information is provided, I can proceed with any review of the
> source zip.
>
I do not understand that relationship, you can download the zip file and
control the content, without looking at the asc file. The zip file is ready
to open and use.

rgds
jan i.


>
> Thanks,
>
>  - Dennis
>
> -----Original Message-----
> From: jan i [mailto:jani@apache.org]
> Sent: Friday, August 14, 2015 09:47
> To: jan i <jani@apache.org>
> Cc: dev@corinthia.incubator.apache.org; dennis.hamilton@acm.org
> Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1
>
> you never know, so I went on and tested on my azura vm:
>
>
> C:\users\jani\opensource\dist_dev_incubator\corinthia> gpg
> .\incubator-corinthia_release_0.1.zip.asc
> gpg: Signature made 08/14/15 11:51:06 using RSA key ID 577E7412
> gpg: Good signature from "jan iversen <jancasacondor@gmail.com>"
>
> Could it be a setup problem on your side ?
>
> rgds
> jan I.
>
>
> On 14 August 2015 at 18:44, jan i <jani@apache.org> wrote:
>
> >
> >
> > On Friday, August 14, 2015, Dennis E. Hamilton <dennis.hamilton@acm.org>
> > wrote:
> >
> >> Please provide an authoritative ASF location of the public key to use
> for
> >> checking the signature.  It would be something like a continuously
> verified
> >> key on this list: <https://people.apache.org/keys/committer/>.  (This
> >> establishes both the name of the ASF committer who possesses the
> signature
> >> and that the key has not been revoked.)
> >
> >
> > ????? if you look there you will see my key.
> >
> > This is done automatically when you add your key to id.a.o
> >
> >
> >
> >>
> >> How will that be made known to reviewers and downloaders of the Release
> >> Candidate?
> >
> > well people.a.o/keys/committer is the official place, my key is
> > furthermore uploaded on a couple of key servers.
> >
> > rgds
> > jan i
> >
> >>
> >>  - Dennis
> >>
> >> ----- Failure Output -----
> >> Microsoft Windows [Version 10.0.10240]
> >> (c) 2015 Microsoft Corporation. All rights reserved.
> >>
> >> C:\Program Files (x86)\GNU\GnuPG>gpg2
> >> d:\Apache\corinthia\rc\incubator-corinthia
> >> _release_0.1.zip.asc
> >> gpg: Signature made 08/14/15 02:51:06 Pacific Daylight Time using RSA
> key
> >> ID 577
> >> E7412
> >> gpg: Can't check signature: No public key
> >>
> >> C:\Program Files (x86)\GNU\GnuPG>
> >>
> >>
> >>
> >>
> >
> > --
> > Sent from My iPad, sorry for any misspellings.
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message