Hi Myrna,
Hi kathy,

Thanks for your reply.  I read what you pointed out to me and
I thought I understood what Knut Anders mentioned.  Accordingly
I executed what was suggested, but I am left with the same
message as I posted the second time:

  [tsakai@vixen Derby]$ gpg --refresh-keys
  gpg: refreshing 24 keys from hkp://subkeys.pgp.net
  gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" 3 new signatures
  gpg: key 37AA956A: "Myrna van Lunteren <m.v.lunteren@gmail.com>" not changed
  gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <dag@apache.org>" 13 new signatures
  gpg: key 88D83722: "Andreas Korneliussen <andreask@apache.org>" 1 new user ID
  gpg: key 88D83722: "Andreas Korneliussen <andreask@apache.org>" 12 new signatures
  gpg: can't get key from keyserver: Connection timed out
  gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <davidvc@apache.org>" 19 new signatures
  gpg: key 98E21827: "Rick Hillegas <rhillegas@apache.org>" 7 new signatures
  gpg: key B1669287: "Kathey Marsden <kmarsden@apache.org>" not changed
  gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <jander@us.ibm.com>" 2 new user IDs
  gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <jander@us.ibm.com>" 98 new signatures
  gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <satheesh@Sourcery.Org>" not changed
  gpg: can't get key from keyserver: Connection timed out
  gpg: key AB821FBC: "Andrew McIntyre <fuzzylogic@apache.org>" 3 new user IDs
  gpg: key AB821FBC: "Andrew McIntyre <fuzzylogic@apache.org>" 119 new signatures
  gpg: key AB1B7EE4: "Daniel John Debrunner <djd@debrunners.com>" not changed
  gpg: no valid OpenPGP data found.
  gpg: key AA0077B0: "Kev Jackson (apache key) <kevj@apache.org>" not changed
  gpg: key C152431A: "Steve Loughran <stevel@apache.org>" 5 new signatures
  gpg: can't get key from keyserver: Connection timed out
  gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer) <antoine@apache.org>" 4 new signatures
  gpg: key EDF62C35: "Magesh Umasankar <umagesh@apache.org>" 1 new signature
  gpg: key 307A10A5: "Henri Gomez <hgomez@users.sourceforge.net>" 7 new signatures
  gpg: key 397DCAD5: "Henri Gomez <hgomez@users.sourceforge.net>" 2 new signatures
  gpg: key 697ECEDD: "Henri Gomez <hgomez@apache.org>" 1 new user ID
  gpg: key 697ECEDD: "Henri Gomez <hgomez@apache.org>" 6 new signatures
  gpg: can't get key from keyserver: Connection timed out
  gpg: key FEECAAED: "Stefan Bodewig <bodewig@apache.org>" 19 new signatures
  gpg: Total number processed: 19
  gpg:              unchanged: 5
  gpg:           new user IDs: 7
  gpg:         new signatures: 315
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ echo $?
  2
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --update-trustdb
  gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
  [tsakai@vixen Derby]$
  [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
  gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
  gpg: BAD signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
  [tsakai@vixen Derby]$

It appears that --refresh-keys indeed did stuff, although it took
a long time (which is evidenced by "Connection timed out" messages.
That said, it didn't seem to have changed the bottom line.  I don't
like the line:
  BAD signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
It sounds a bit ominous and definite.

Perhaps this is not something I should waste more time on?

Regards,

Tena Sakai
tsakai@gallo.ucsf.edu


-----Original Message-----
From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
Sent: Tue 5/19/2009 3:54 PM
To: Derby Discussion
Subject: Re: newbie confused about "verifying release"

On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <tsakai@gallo.ucsf.edu> wrote:
> Hi,
>
> I am a newbie and just got started with derby.  I was doing what this page
>
> http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
> instructed.
>
[...snip...]
> Here are responses from the two commands:
>   [tsakai@vixen Derby]$ gpg --import KEYS
[...snip...]
>   gpg: key FFCCF7B1: "Dyre Tjeldvoll <dyre@apache.org>" not changed
>   gpg: Total number processed: 13
>   gpg:              unchanged: 13
>   [tsakai@vixen Derby]$
>   [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
>   gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A
>   gpg: Good signature from "Myrna van Lunteren <m.v.lunteren@gmail.com>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>   Primary key fingerprint: 66C3 0B69 5415 91E3 A777  F84D 0E13 F75A 37AA
> 956A
>   [tsakai@vixen Derby]$
>
> What I don't understand is at the bottom:
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>
> Can someone please clue me in?  Is this good, bad, neutral?
> Should I do something (and if so, what)?  Should I ignore and move on?
>
> Thank you in advance.
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu

You're not the first to ever have been confused by this. There was a
thread on our derby-developers list on this issue a long time ago, re
10.4.2.0, see:
http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html

Knut Anders' response in the final mail on that thread is helpful;
" Note that gpg told you that the signature was good. What it
warned you about, was that you didn't trust anyone who had signed Rick's
key. You can update your trust db with "gpg --update-trustdb"."

In this case, it appears it is *my* signature that is not known by
'you' or anyone 'you' (your pgp program, that is) know. But as I
understand it, that's still ok.

Myrna