db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Myrna van Lunteren <m.v.lunte...@gmail.com>
Subject Re: newbie confused about "verifying release"
Date Tue, 19 May 2009 22:54:04 GMT
On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <tsakai@gallo.ucsf.edu> wrote:
> Hi,
>
> I am a newbie and just got started with derby.  I was doing what this page
>
> http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
> instructed.
>
[...snip...]
> Here are responses from the two commands:
>   [tsakai@vixen Derby]$ gpg --import KEYS
[...snip...]
>   gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" not changed
>   gpg: Total number processed: 13
>   gpg:              unchanged: 13
>   [tsakai@vixen Derby]$
>   [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
>   gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A
>   gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>   Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA
> 956A
>   [tsakai@vixen Derby]$
>
> What I don't understand is at the bottom:
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>
> Can someone please clue me in?  Is this good, bad, neutral?
> Should I do something (and if so, what)?  Should I ignore and move on?
>
> Thank you in advance.
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu

You're not the first to ever have been confused by this. There was a
thread on our derby-developers list on this issue a long time ago, re
10.4.2.0, see:
http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html

Knut Anders' response in the final mail on that thread is helpful;
" Note that gpg told you that the signature was good. What it
warned you about, was that you didn't trust anyone who had signed Rick's
key. You can update your trust db with "gpg --update-trustdb"."

In this case, it appears it is *my* signature that is not known by
'you' or anyone 'you' (your pgp program, that is) know. But as I
understand it, that's still ok.

Myrna

Mime
View raw message