Hi,

Confusion part 2:

I untar'ed the tree and found a file called KEYS in the
src directory.  I used this set of keys to do the same
thing as before.  Here's the response:

  [tsakai@vixen Derby]$ gpg --import KEYS
  gpg: key AB1B7EE4: "Daniel John Debrunner <djd@debrunners.com>" not changed
  gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <fuzzylogic@nonintuitive.com>" not changed
  gpg: key 21EA3ECD: "Mike Matrigali <mikem_app@sbcglobal.net>" not changed
  gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <satheesh@Sourcery.Org>" not changed
  gpg: key 99586C26: "Jean T. Anderson <jta@bristowhill.com>" not changed
  gpg: key B1669287: "Kathey Marsden <kmarsden@apache.org>" not changed
  gpg: key 98E21827: "Rick Hillegas <rhillegas@apache.org>" not changed
  gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <davidvc@apache.org>" not changed
  gpg: key 990ED4AA: "Knut Anders Hatlen <kahatlen@apache.org>" not changed
  gpg: key 88D83722: "Andreas Korneliussen <andreas.korneliussen@broadpark.no>" not changed
  gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <dag@apache.org>" not changed
  gpg: key 37AA956A: "Myrna van Lunteren <m.v.lunteren@gmail.com>" not changed
  gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" not changed
  gpg: Total number processed: 13
  gpg:              unchanged: 13
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
  gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
  gpg: BAD signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ echo $?
  1
  [tsakai@vixen Derby]$

The first command returned exactly the same response as previous
invocation.  (I diff'ed them.)  But if the "import" didn't change
anything, then why should the 2nd command return something different
from the previous run?  In any event, if someone can help me under-
stand what I am understanding, I would appreciate it.

Regards,

Tena Sakai
tsakai@gallo.ucsf.edu


-----Original Message-----
From: Tena Sakai [mailto:tsakai@gallo.ucsf.edu]
Sent: Tue 5/19/2009 2:43 PM
To: derby-user@db.apache.org
Subject: newbie confused about "verifying release"

Hi,

I am a newbie and just got started with derby.  I was doing what this page
  http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
instructed.

The host is a redhat linux.
  uname -vro
returns:
  2.6.9-78.0.1.ELsmp #1 SMP Tue Jul 22 18:01:05 EDT 2008 GNU/Linux

Here are responses from the two commands:
  [tsakai@vixen Derby]$ gpg --import KEYS
  gpg: key AB1B7EE4: "Daniel John Debrunner <djd@debrunners.com>" not changed
  gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <fuzzylogic@nonintuitive.com>" not changed
  gpg: key 21EA3ECD: "Mike Matrigali <mikem_app@sbcglobal.net>" not changed
  gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <satheesh@Sourcery.Org>" not changed
  gpg: key 99586C26: "Jean T. Anderson <jta@bristowhill.com>" not changed
  gpg: key B1669287: "Kathey Marsden <kmarsden@apache.org>" not changed
  gpg: key 98E21827: "Rick Hillegas <rhillegas@apache.org>" not changed
  gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <davidvc@apache.org>" not changed
  gpg: key 990ED4AA: "Knut Anders Hatlen <kahatlen@apache.org>" not changed
  gpg: key 88D83722: "Andreas Korneliussen <andreas.korneliussen@broadpark.no>" not changed
  gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <dag@apache.org>" not changed
  gpg: key 37AA956A: "Myrna van Lunteren <m.v.lunteren@gmail.com>" not changed
  gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" not changed
  gpg: Total number processed: 13
  gpg:              unchanged: 13
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
  gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
  gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA 956A
  [tsakai@vixen Derby]$

What I don't understand is at the bottom:
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

Can someone please clue me in?  Is this good, bad, neutral?
Should I do something (and if so, what)?  Should I ignore and move on?

Thank you in advance.

Regards,

Tena Sakai
tsakai@gallo.ucsf.edu