incubator-odf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: KEYS
Date Mon, 29 Apr 2013 20:11:25 GMT
 1. Unfortunately, the KEYS file is not tied to a web of trust.  Those public keys are indeed
there by themselves.  That is, folks who countersign any of those public keys and synchronize
with a PGP key-service will not have those certifications reflected automatically in KEYS.
 Someone has to know to install the KEYS file and then use their software to load the certifications
that can be found for that public key.  (At the moment, the only certification of the Florian
Hopf (CODE SIGNING KEY) is its self-signed sealing.)

 2. Another way, independent of the web of trust, is by using the public key available for
that release manager at either <> or the group
certificate file at <> once odftoolkit.asc becomes
available there.  These are bound to the credentials of recognized Apache Committers which
is much stronger than certifications of a stranger by other strangers.  In addition, those
files *are* updated from PGP key services, so any web-of-trust certifications (and, presumably,
revocations) will also be reflected in those certificates.

 3. I am curious.  For the current release candidate, I see that each artifact has an associated
.asc, .md5, and .sha.  How does a recipient of the artifact and its corresponding .asc to
know to find the necessary public key for verifying the artifact's external .asc signature?

 - Dennis

 4. PS: I also notice that, even as a committer with access to,
I cannot tell that Florian Hopf of mailinglists@ is fhopf@  I
believe it. I can't verify it. (Florian, please log onto your Apache account and update the
email addresses that you want to be recognized by.) 

-----Original Message-----
From: Rob Weir [] 
Sent: Monday, April 29, 2013 11:41
To:; Dennis Hamilton
Subject: Re: KEYS

On Mon, Apr 29, 2013 at 1:31 PM, Dennis E. Hamilton
<> wrote:
> Off-hand, I can't imagine how your public key is useful to a code-signing plug-in.
> I can confirm that the instructions for import of the KEYS certificates into GPG do work.
> My understanding is that KEYS is useful for someone who wants to verify the signatures
on releases.  In general, it is preferable for the public keys (or at least the fingerprint)
to be obtained from an independent, secure location that is uniquelly associated with the
committer whose PGP public key is sought.

That might be true of the public key was by itself.  In that case you
would only be able to tell that the signature was from someone who
claims to be Florian, but you would not know whether he really was.
But the GPG approach is based on a "web of trust" model.  If I can
confirm that your key is actually from you and you can convince me
that you are who you claim to be, then I can sign your key with my
key.  I post that info to a public keyserver, and someone else can
verify this info. And my key is then signed by someone else, etc.  So
we have a web of people asserting their trust of a given key.  So in
the end it doesn't matter where the key is actually retrieved from.
It could be on my website, in SVN, wherever.  You only trust it if you
have direct knowledge of its validity, or you trust someone who has
this knowledge, directly or via someone they directly trust.


> The files at <> qualify, since the retrieved
public keys are based on a fingerprint that requires access to your Apache Committer account
to establish.  The keys folder is kept secure by ASF Infrastructure.  Synchronization with
public key servers is automated.  Also, there is a file <>
that has all public keys for an individual project (e.g., office.asc for all committers of
Apache OpenOffice that have committer keys).
>  - Dennis
[ ... ]

View raw message