flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <jus...@classsoftware.com>
Subject Re: [DISCUSS] Discuss Release Apache Flex PixelBender Package 1.0
Date Tue, 17 Dec 2013 03:15:40 GMT

Have the releases been signed with a correct key? 

Asking as [1] says this "It is recommended that your Apache email address is used as the primary
User-ID for the code signing key". The artefacts are signed by aharui@adobe.com key  F8502A44
which is obviously not an Apache email address.

If you ignore [1] (it's only recommended) the KEYS file contains the key C9383D43  with a
sub key of F8502A44. Looking up aharui@adobe.com here [2] gives me the id C9383D43 not F8502A44.
So it looks like it been signed with the sub key and not the public key.  My (limited) understanding
was that pubic key are used for signing and sub keys for encryption.  Does this matter? Not
100% sure but [3] + [4] seem to imply that there might be an issue here.


1. http://www.apache.org/dev/release-signing.html#user-id
2. http://pgp.mit.edu/pks/lookup?search=aharui%40adobe.com&op=index
3. http://www.apache.org/dev/release-signing.html#subkey
4. http://www.gnupg.org/faq/subkey-cross-certify.html
View raw message