river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: Apache release signing on Solaris 10
Date Mon, 04 Jan 2010 17:06:46 GMT
Hi Peter,

 From my perspective, you're good to go. The signature you made checks  
out.

You'll need to put your public key into the svn repository associated  
with the river project (if you need details after looking around, let  
me know -- I'm a little hazy on the details).

And I guess you're still awaiting a response whether your key is good  
enough. Robert, any feedback?

clr% gpg --fingerprint 1CC8406F
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:  69  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:  69  signed:  39  trust: 17-, 24q, 0n, 0m, 28f, 0u
gpg: depth: 2  valid:  20  signed:  20  trust: 7-, 11q, 0n, 0m, 2f, 0u
gpg: depth: 3  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2011-06-22
pub   4096R/1CC8406F 2010-01-01 [expires: 2012-01-01]
       Key fingerprint = 316D 7FF5 D89E 3090 64E2  7BAA AE46 E725 1CC8  
406F
uid                  Peter Firmstone (Engineer) <peter.firmstone@zeus.net.au 
 >
sub   4096R/DBF67B3D 2010-01-01 [expires: 2012-01-01]

[CraigRussell:~] clr% gpg --verify LICENSE.asc
gpg: Signature made Sun Jan  3 17:57:16 2010 PST using RSA key ID  
1CC8406F
gpg: Good signature from "Peter Firmstone (Engineer) <peter.firmstone@zeus.net.au 
 >"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the  
owner.
Primary key fingerprint: 316D 7FF5 D89E 3090 64E2  7BAA AE46 E725 1CC8  
406F

Craig

On Jan 3, 2010, at 11:11 PM, Peter Firmstone wrote:

> Oh yes of course, my apologies.
>
> It should be available now on subkeys.pgp.net and keys.gnupg.net
>
> I'll upload it to my home directory on people.apache.org later too.
>
> Cool receiving assistance from someone who has contributed much.
>
> Thanks again,
>
> Peter.
>
>
>
> Craig L Russell wrote:
>> Hi Peter,
>>
>> Have you uploaded your public key?
>>
>> gpg --verify LICENSE.asc
>> gpg: Signature made Sun Jan  3 17:57:16 2010 PST using RSA key ID  
>> 1CC8406F
>> gpg: Can't check signature: public key not found
>> [CraigRussell:~] clr% gpg --recv-keys 1CC8406F
>> gpg: requesting key 1CC8406F from hkp server subkeys.pgp.net
>> gpgkeys: key 1CC8406F not found on keyserver
>> gpg: no valid OpenPGP data found.
>> gpg: Total number processed: 0
>>
>> What we know is that you have a key and it made a signature file.  
>> What we don't know is if the signature matches your key.
>>
>> Craig
>>
>> On Jan 3, 2010, at 6:04 PM, Peter Firmstone wrote:
>>
>>> Thanks Craig,
>>>
>>> LICENSE.asc of LICENSE in trunk of Apache River attached.
>>>
>>> Cheers,
>>>
>>> Peter.
>>>
>>> Craig L Russell wrote:
>>>> Hi Peter,
>>>>
>>>> The only reason *not* to use 1.4.10 IMHO is if the generated  
>>>> artifacts somehow are incompatible with other GPG programs out  
>>>> there.
>>>>
>>>> If you want to create an example .asc from some file that you  
>>>> have in your public directory, I'd be happy to verify that it  
>>>> works.
>>>>
>>>> Craig
>>>
>>
>> Craig L Russell
>> Architect, Sun Java Enterprise System http://db.apache.org/jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>>
>

Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message