db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tena Sakai" <tsa...@gallo.ucsf.edu>
Subject RE: newbie confused about "verifying release"
Date Thu, 21 May 2009 02:22:04 GMT
Hi Kurt,

Many thanks for your reply.

I redid everything by downloading the .gz file,
.gz.asc, and .gz.md5.  I was a bit skeptical,
but to my surprise I was able to produce exactly
the same thing as you did.

  [tsakai@vixen Derby]$ gpg --refresh-keys
                      .
                      .
  gpg: Total number processed: 20
  gpg:              unchanged: 17
  gpg:           new user IDs: 5
  gpg:         new signatures: 263
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --update-trustdb
  gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
  gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
  gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA 956A
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ md5sum db-derby-10.5.1.1-src.tar.gz
  f5c2d8c6546757243e2c8cf79fd944fe  db-derby-10.5.1.1-src.tar.gz
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ cat db-derby-10.5.1.1-src.tar.gz.md5
  F5C2D8C6546757243E2C8CF79FD944FE
  [tsakai@vixen Derby]$

Thanks again.

Regards,

Tena Sakai
tsakai@gallo.ucsf.edu


-----Original Message-----
From: Kurt Huwig [mailto:k.huwig@iku-ag.de]
Sent: Wed 5/20/2009 1:17 AM
To: derby-user@db.apache.org
Cc: Tena Sakai
Subject: Re: newbie confused about "verifying release"
 
Tena,

I guess your download is broken. If I do the same, I get a GOOD signature:

kurt@pckurt:~/Install/Java$ LANG=en gpg --verify db-derby-10.5.1.1-
src.tar.gz.asc
gpg: Signature made Tue Apr 14 23:27:52 2009 CEST using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA 956A

You should verify the download with MD5:

kurt@pckurt:~/Install/Java$ md5sum db-derby-10.5.1.1-src.tar.gz
f5c2d8c6546757243e2c8cf79fd944fe  db-derby-10.5.1.1-src.tar.gz
kurt@pckurt:~/Install/Java$ cat db-derby-10.5.1.1-src.tar.gz.md5
F5C2D8C6546757243E2C8CF79FD944FE

Regarding the warning: as the others pointed out, you do not know if you have 
downloaded the original key of Myrna or a faked copy. Everybody can create a 
key that reads "Myrna van Lunteren <m.v.lunteren@gmail.com>". Therefore there 
is something called the "web of trust" where people verify the correctness of 
a key and do a digital signature on it. For example if you'd trust my GPG key 
and I'd sign Myrna's key, then you could verify that you downloaded the 
correct key by verifying my signature on the key you downloaded, because this 
is something that noone can fake.

http://en.wikipedia.org/wiki/Web_of_Trust

On Wednesday 20 May 2009 04:22:40 Tena Sakai wrote:
> Hi Myrna,
> Hi kathy,
>
> Thanks for your reply.  I read what you pointed out to me and
> I thought I understood what Knut Anders mentioned.  Accordingly
> I executed what was suggested, but I am left with the same
> message as I posted the second time:
>
>   [tsakai@vixen Derby]$ gpg --refresh-keys
>   gpg: refreshing 24 keys from hkp://subkeys.pgp.net
>   gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" 3 new signatures
>   gpg: key 37AA956A: "Myrna van Lunteren <m.v.lunteren@gmail.com>" not
> changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer)
> <dag@apache.org>" 13 new signatures gpg: key 88D83722: "Andreas
> Korneliussen <andreask@apache.org>" 1 new user ID gpg: key 88D83722:
> "Andreas Korneliussen <andreask@apache.org>" 12 new signatures gpg: can't
> get key from keyserver: Connection timed out
>   gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key)
> <davidvc@apache.org>" 19 new signatures gpg: key 98E21827: "Rick Hillegas
> <rhillegas@apache.org>" 7 new signatures gpg: key B1669287: "Kathey Marsden
> <kmarsden@apache.org>" not changed gpg: key 99586C26: "Jean T. Anderson
> (IBM) (adding IBM email) <jander@us.ibm.com>" 2 new user IDs gpg: key
> 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <jander@us.ibm.com>"
> 98 new signatures gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby
> Project) <satheesh@Sourcery.Org>" not changed gpg: can't get key from
> keyserver: Connection timed out
>   gpg: key AB821FBC: "Andrew McIntyre <fuzzylogic@apache.org>" 3 new user
> IDs gpg: key AB821FBC: "Andrew McIntyre <fuzzylogic@apache.org>" 119 new
> signatures gpg: key AB1B7EE4: "Daniel John Debrunner <djd@debrunners.com>"
> not changed gpg: no valid OpenPGP data found.
>   gpg: key AA0077B0: "Kev Jackson (apache key) <kevj@apache.org>" not
> changed gpg: key C152431A: "Steve Loughran <stevel@apache.org>" 5 new
> signatures gpg: can't get key from keyserver: Connection timed out
>   gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer)
> <antoine@apache.org>" 4 new signatures gpg: key EDF62C35: "Magesh Umasankar
> <umagesh@apache.org>" 1 new signature gpg: key 307A10A5: "Henri Gomez
> <hgomez@users.sourceforge.net>" 7 new signatures gpg: key 397DCAD5: "Henri
> Gomez <hgomez@users.sourceforge.net>" 2 new signatures gpg: key 697ECEDD:
> "Henri Gomez <hgomez@apache.org>" 1 new user ID gpg: key 697ECEDD: "Henri
> Gomez <hgomez@apache.org>" 6 new signatures gpg: can't get key from
> keyserver: Connection timed out
>   gpg: key FEECAAED: "Stefan Bodewig <bodewig@apache.org>" 19 new
> signatures gpg: Total number processed: 19
>   gpg:              unchanged: 5
>   gpg:           new user IDs: 7
>   gpg:         new signatures: 315
>   [tsakai@vixen Derby]$
>   [tsakai@vixen Derby]$ echo $?
>   2
>   [tsakai@vixen Derby]$
>   [tsakai@vixen Derby]$ gpg --update-trustdb
>   gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
>   [tsakai@vixen Derby]$
>   [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
>   gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A gpg: BAD signature from "Myrna van Lunteren
> <m.v.lunteren@gmail.com>" [tsakai@vixen Derby]$
>
> It appears that --refresh-keys indeed did stuff, although it took
> a long time (which is evidenced by "Connection timed out" messages.
> That said, it didn't seem to have changed the bottom line.  I don't
> like the line:
>   BAD signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
> It sounds a bit ominous and definite.
>
> Perhaps this is not something I should waste more time on?
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu
>
>
> -----Original Message-----
> From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
> Sent: Tue 5/19/2009 3:54 PM
> To: Derby Discussion
> Subject: Re: newbie confused about "verifying release"
>
> On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <tsakai@gallo.ucsf.edu> wrote:
> > Hi,
> >
> > I am a newbie and just got started with derby.  I was doing what this
> > page
> >
> > http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releas
> >es instructed.
>
> [...snip...]
>
> > Here are responses from the two commands:
> >   [tsakai@vixen Derby]$ gpg --import KEYS
>
> [...snip...]
>
> >   gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" not changed
> >   gpg: Total number processed: 13
> >   gpg:              unchanged: 13
> >   [tsakai@vixen Derby]$
> >   [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> >   gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> > 37AA956A
> >   gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
> >   gpg: WARNING: This key is not certified with a trusted signature!
> >   gpg:          There is no indication that the signature belongs to the
> > owner.
> >   Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA
> > 956A
> >   [tsakai@vixen Derby]$
> >
> > What I don't understand is at the bottom:
> >   gpg: WARNING: This key is not certified with a trusted signature!
> >   gpg:          There is no indication that the signature belongs to the
> > owner.
> >
> > Can someone please clue me in?  Is this good, bad, neutral?
> > Should I do something (and if so, what)?  Should I ignore and move on?
> >
> > Thank you in advance.
> >
> > Regards,
> >
> > Tena Sakai
> > tsakai@gallo.ucsf.edu
>
> You're not the first to ever have been confused by this. There was a
> thread on our derby-developers list on this issue a long time ago, re
> 10.4.2.0, see:
> http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html
>
> Knut Anders' response in the final mail on that thread is helpful;
> " Note that gpg told you that the signature was good. What it
> warned you about, was that you didn't trust anyone who had signed Rick's
> key. You can update your trust db with "gpg --update-trustdb"."
>
> In this case, it appears it is *my* signature that is not known by
> 'you' or anyone 'you' (your pgp program, that is) know. But as I
> understand it, that's still ok.
>
> Myrna

-- 
Mit freundlichen Grüßen

Kurt Huwig (Vorstand)                     Telefon 0681 / 3 72 00 36 - 50
http://www.iku-ag.de/                     Telefax 0681 / 3 72 00 36 - 59

iKu Systemhaus AG, Altenkesseler Straße 17/Gebäude C1, 66115 Saarbrücken
Amtsgericht: Saarbrücken, HRB 13240
Vorstand: Kurt Huwig            Aufsichtsratsvorsitzender: Jan Bankstahl

GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940  EB6D 4C32 F908 99DD 9468


Mime
View raw message