Resources: https://infra.apache.org/release-signing.html#valid-untrusted-vs-invalid-trusted https://infra.apache.org/release-signing.html#web-of-trust
Best, Dave > On Mar 18, 2022, at 1:45 PM, Interrante, John A (GE Research, US) > <[email protected]> wrote: > > Yes, it's either that or it's even simpler than that. I see the same warning > when verifying Mike's signature: > > interran@GH3WPL13E:/u/Downloads$ gpg --verify > apache-daffodil-3.2.1-src.zip.asc apache-daffodil-3.2.1-src.zip > gpg: Signature made Mon Dec 20 09:18:16 2021 PST > gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF > gpg: Good signature from "Michael J. Beckerle (Code Signing Key) > <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 4B6A 956D 3ED3 6502 6880 2E37 274B 8F14 13A6 80AF > > interran@GH3WPL13E:/u/Downloads$ gpg --verify > apache-daffodil-3.3.0-src.zip.asc apache-daffodil-3.3.0-src.zip > gpg: Signature made Thu Mar 17 13:12:45 2022 PDT > gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 > gpg: Good signature from "John Interrante (Code Signing Key) > <[email protected]>" [ultimate] > > I haven't participated in a key signing party and I'm not sure where I would > get a trust chain to import into my key ring to verify Mike's signature > belongs to him. > > John > > -----Original Message----- > From: Dave Fisher <[email protected]> > Sent: Friday, March 18, 2022 1:38 PM > To: [email protected] > Subject: EXT: Re: GPG signature verification warnings > > WARNING: This email originated from outside of GE. Please validate the > sender's email address before clicking on links or attachments as they may > not be safe. > > Mike you probably participated in a Keysigning party and John has not. > > Look up keysigning on www.Apache.org and have a “party” to sign his key. If > that’s not possible right now that’s ok. > > Sent from my iPhone > >> On Mar 18, 2022, at 1:27 PM, Mike Beckerle <[email protected]> wrote: >> >> When verifying GPG signatures recently I got this warning: >> >> gpg --verify ./apache-daffodil-3.3.0-1.noarch.rpm.asc >> ./apache-daffodil-3.3.0-1.noarch.rpm >> gpg: Signature made Thu 17 Mar 2022 04:12:45 PM EDT >> gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 >> gpg: Good signature from "John Interrante (Code Signing Key) < >> [email protected]>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 8584 9EC0 3742 62C7 110C A744 04A7 35FC 1A36 >> AE84 PASSED GPG Signature Check >> >> Note the WARNING in the above. >> >> When I verify the 3.2.1 source jar (which I signed) I get: >> >> gpg --verify apache-daffodil-3.2.1-src.zip.asc >> apache-daffodil-3.2.1-src.zip >> gpg: Signature made Mon 20 Dec 2021 12:18:16 PM EST >> gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF >> gpg: Good signature from "Michael J. Beckerle (Code Signing Key) < >> [email protected]>" [ultimate] >> >> No warning. >> >> So there is something different about the way my code signing key was >> established. >> >> Mike Beckerle >> Apache Daffodil PMC | daffodil.apache.org OGF DFDL Workgroup Co-Chair >> | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl >> Owl Cyber Defense | www.owlcyberdefense.com >
