river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Barnaby <Frank.Barn...@Sun.COM>
Subject Re: Release Candidates -- Apache River Release v2.1.1
Date Fri, 21 Dec 2007 16:06:56 GMT

On Dec 21, 2007, at 08:33, Mark Brouwer wrote:

> Frank Barnaby wrote:
>> I assisted Jim H. create a key and then sign my key.  My local  
>> testing shows no more warnings, but it would be helpful to have  
>> someone else verify.
> In good tradition everything security related is hard, no exception  
> this
> time :-) I'm trying to verify the distribution and I need to import  
> the
> KEYS file. I wonder whether it is checked in at the right place  
> (part of
> jtsk and we also have qatest)?

I was wondering the same thing when I created the KEYS file.  I also  
questioned whether qatests will stay in its current location.  I'd be  
happy to move it up to trunk if that's the appropriate location.

> Also I tried to verify the distributions, I imported the KEYS file  
> and received the keys of Jim, Frank and Jukka but all I get is this.
> gpg --verify apache-river-2.1.1-incubating-bin.zip.asc apache- 
> river-2.1.1-incubating-bin.zip
> gpg: Signature made 12/19/07 22:24:05 using RSA key ID 86124FBC
> gpg: Good signature from "Frank Barnaby <fbarnaby@apache.org>"
> gpg:                 aka "Frank Barnaby <Frank.Barnaby@Sun.Com>"
> gpg:                 aka "Frank Barnaby (CODE SIGNING KEY) <fbarnaby@apache.org 
> >"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to  
> the owner.
> Primary key fingerprint: D074 AD05 445C 34DD 04AE  B682 19A2 FF47  
> 8612 4FBC
> So what is going wrong here?

I need to update the KEYS file now that more signatures have been  
added to the mix, but I'm not certain whether that will resolve the  
above problem.


> -- 
> Mark

View raw message