river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Brouwer <mark.brou...@cheiron.org>
Subject Re: Release Candidates -- Apache River Release v2.1.1
Date Fri, 21 Dec 2007 13:33:49 GMT
Frank Barnaby wrote:

> I assisted Jim H. create a key and then sign my key.  My local testing 
> shows no more warnings, but it would be helpful to have someone else 
> verify.

In good tradition everything security related is hard, no exception this
time :-) I'm trying to verify the distribution and I need to import the
KEYS file. I wonder whether it is checked in at the right place (part of
jtsk and we also have qatest)?

Also I tried to verify the distributions, I imported the KEYS file and 
received the keys of Jim, Frank and Jukka but all I get is this.

gpg --verify apache-river-2.1.1-incubating-bin.zip.asc 
apache-river-2.1.1-incubating-bin.zip
gpg: Signature made 12/19/07 22:24:05 using RSA key ID 86124FBC
gpg: Good signature from "Frank Barnaby <fbarnaby@apache.org>"
gpg:                 aka "Frank Barnaby <Frank.Barnaby@Sun.Com>"
gpg:                 aka "Frank Barnaby (CODE SIGNING KEY) 
<fbarnaby@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: D074 AD05 445C 34DD 04AE  B682 19A2 FF47 8612 4FBC

So what is going wrong here?
-- 
Mark


Mime
View raw message