Just moved SetUpGpg wiki into coho as well since that's very release process applicable. Problem is just that the github mirrors are not up-to-date yet. You can see all the docs via apache's gitweb:
https://git-wip-us.apache.org/repos/asf?p=cordova-coho.git;a=blob;f=docs/setting-up-gpg.md I've tweeted my gpg fingerprint: https://twitter.com/GrieveAndrew. Just as good as a phone call? If someone figures out how to use gpg --edit-key to fix up this message, would be good to paste the commands into setting-up-gpg.md. On Wed, Mar 5, 2014 at 9:26 PM, Carlos Santana <[email protected]> wrote: > I think I found the information here > https://www.apache.org/info/verification.html > > Based on this *"Some people are satisfied by reading the key signature over > a telephone (voice verification). "* > > Should I give you a call Andrew? :-p > > By they way shouldn't the "KEYS" file be located in the download directory > also? https://dist.apache.org/repos/dist/dev/cordova/iab/ > > > --Carlos > > > > On Wed, Mar 5, 2014 at 9:02 PM, Carlos Santana <[email protected]> > wrote: > > > With the new process in place, where is documentation on how to verify > the > > signing and key stuff > > > > Was not able to find in the repo: > > > > https://github.com/apache/cordova-coho/tree/master/docs > > > > > > > > > > On Wed, Mar 5, 2014 at 5:01 PM, Ian Clelland <[email protected] > >wrote: > > > >> I've seen that before -- it just means that you haven't declared, > >> explicitly or implicitly, that you trust that the signing key is really > >> Andrew's. > >> > >> The important line should be above that, and should say > >> > >> gpg: Good signature from "Andrew Grieve (CODE SIGNING KEY) < > >> [email protected]>" > >> > >> What you can do right now is run "gpg --fingerprint", and then have > Andrew > >> do that same, and verify that they match. Then you can safely ignore the > >> message :) > >> > >> The long term solution is to get Andrew's (and Steven's, and anyone > >> else's) > >> public key signed by some Apache folks. Apparently there's a key signing > >> party at every ApacheCon, so that'll be a good time to do it. > >> > >> > >> -------- > >> Instead of ignoring the message, you can also sign the key with your > own: > >> > >> $ gpg --edit-key [email protected] > >> > sign > >> > save > >> > >> > >> > >> On Wed, Mar 5, 2014 at 3:19 PM, Michal Mocny <[email protected]> > wrote: > >> > >> > +1 > >> > > >> > However, gpg --verify gives me: > >> > > >> > gpg: WARNING: This key is not certified with a trusted signature! > >> > gpg: There is no indication that the signature belongs to the > >> > owner. > >> > > >> > I don't recall seeing this before. I had to add your new key to verify > >> this > >> > time. > >> > > >> > -Michal > >> > > >> > > >> > On Wed, Mar 5, 2014 at 2:45 PM, Andrew Grieve <[email protected]> > >> > wrote: > >> > > >> > > Please review and vote on the release of this inappbrowser release. > >> > > > >> > > The plugin has been publish here: > >> > > https://dist.apache.org/repos/dist/dev/cordova/iab/ > >> > > > >> > > It is the same as the recently published 0.3.2, except with: > >> > > * CB-6172 Fix broken install on case-sensitive file-systems > >> > > > >> > > The packages were published from their corresponding git tags: > >> > > cordova-plugin-inappbrowser: 0.3.3 (a5dedae631) > >> > > > >> > > Upon a successful vote I will upload the archives to dist/, upload > >> them > >> > to > >> > > the Plugins Registry, and post the corresponding blog post. > >> > > > >> > > Voting will go on for a minimum of 20 hours. > >> > > > >> > > I vote +1. > >> > > > >> > > >> > > > > > > > > -- > > Carlos Santana > > <[email protected]> > > > > > > -- > Carlos Santana > <[email protected]> >
