When verifying GPG signatures recently I got this warning: gpg --verify ./apache-daffodil-3.3.0-1.noarch.rpm.asc ./apache-daffodil-3.3.0-1.noarch.rpm gpg: Signature made Thu 17 Mar 2022 04:12:45 PM EDT gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 gpg: Good signature from "John Interrante (Code Signing Key) < [email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8584 9EC0 3742 62C7 110C A744 04A7 35FC 1A36 AE84 PASSED GPG Signature Check
Note the WARNING in the above. When I verify the 3.2.1 source jar (which I signed) I get: gpg --verify apache-daffodil-3.2.1-src.zip.asc apache-daffodil-3.2.1-src.zip gpg: Signature made Mon 20 Dec 2021 12:18:16 PM EST gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF gpg: Good signature from "Michael J. Beckerle (Code Signing Key) < [email protected]>" [ultimate] No warning. So there is something different about the way my code signing key was established. Mike Beckerle Apache Daffodil PMC | daffodil.apache.org OGF DFDL Workgroup Co-Chair | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl Owl Cyber Defense | www.owlcyberdefense.com
