A big +1 Everything went smooth and successfully. And thumps up for the documentation on Isis site!
On Tue, Dec 18, 2012 at 9:29 PM, Dan Haywood <d...@haywood-associates.co.uk>wrote: > other interesting reading: http://people.apache.org/~henkp/trust/ > > you might also say that the public key might be trusted because it is > listed on the committers' index, http://people.apache.org/list_H.html > > > > On 18 December 2012 20:25, Dan Haywood <d...@haywood-associates.co.uk> > wrote: > > > I guess the trust comes from the fact that the KEYS file - which is > > downloaded from the Isis repo - contains the public key which does verify > > against the private key I used to sign the release. > > > > The message that it isn't trusted should be interpreted as it doesn't > link > > to a trusted root CA. > > > > I wonder if you had countersigned my key whether you would see the > message > > (on the basis that you presumably trust your own self-signed key)? > > > > > > > > On 18 December 2012 20:20, Jeroen van der Wal <jer...@stromboli.it> > wrote: > > > >> Ok, following this procedure omits the need to specify a keyserver. > Still > >> untrusted though: > >> > >> gpg --import ~/Development/apache-isis/KEYS > >> gpg: key 2FDB81B1: public key "Mark Struberg (Apache) < > >> strub...@apache.org>" > >> imported > >> gpg: key 77AD2E23: "Dan Haywood (CODE SIGNING KEY) < > danhayw...@apache.org > >> >" > >> not changed > >> gpg: key 61459F7A: public key "Mohammad Nour (Personal GMail) < > >> nour.moham...@gmail.com>" imported > >> gpg: key 5124D1AB: "Jeroen Christiaan van der Wal (CODE SIGNING KEY) < > >> jcvander...@apache.org>" not changed > >> gpg: Total number processed: 4 > >> gpg: imported: 2 (RSA: 2) > >> gpg: unchanged: 2 > >> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > >> gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u > >> gpg: next trustdb check due at 2015-08-18 > >> Katla:isis jvanderwal$ gpg --verify --keyserver > >> pgp.mit.eduisis-1.0.0-source-release.asc isis-1.0.0-source-release.zip > >> gpg: Signature made Sat 15 Dec 19:50:19 2012 CET using RSA key ID > 77AD2E23 > >> gpg: Good signature from "Dan Haywood (CODE SIGNING KEY) < > >> danhayw...@apache.org>" > >> gpg: WARNING: This key is not certified with a trusted signature! > >> gpg: There is no indication that the signature belongs to the > >> owner. > >> Primary key fingerprint: 60A6 847D 011F E674 7D8B E60D 76D7 491A 77AD > >> 2E23 > >> > >> > >> > >> On Tue, Dec 18, 2012 at 9:09 PM, Dan Haywood > >> <d...@haywood-associates.co.uk>wrote: > >> > >> > On 18 December 2012 20:02, Jeroen van der Wal <jer...@stromboli.it> > >> wrote: > >> > > >> > > > >> > > In the output I also noticed that Dan's key is not trusted: > >> > > > >> > > > >> > Um, it *is* trusted, in that it is counter-signed by various other > >> members > >> > in the ASF web of trust: > >> > > >> > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x76D7491A77AD2E23 > >> > > >> > > >> > I dimly recall that there's a way to import these into your own > >> certificate > >> > store, the procedure might be as per [1] > >> > > >> > Dan > >> > > >> > [1] http://www.apache.org/dev/release-signing.html#keys-policy > >> > > >> > > >> > > >> > > >> > > Will continue with further steps. > >> > > > >> > > There was an error in the link to the files, fixed below. > >> > > > >> > > -Jeroen > >> > > > >> > > core: > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-022/org/apache/isis/core/isis/1.0.0/isis-1.0.0-source-release.zip > >> > > * > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-022/org/apache/isis/core/isis/1.0.0/isis-1.0.0-source-release.zip.asc > >> > > jdo objectstore: > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-024/org/apache/isis/objectstore/isis-objectstore-jdo/1.0.0/isis-objectstore-jdo-1.0.0-source-release.zip > >> > > * > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-024/org/apache/isis/objectstore/isis-objectstore-jdo/1.0.0/isis-objectstore-jdo-1.0.0-source-release.zip.asc > >> > > file security: > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-025/org/apache/isis/security/isis-security-file/1.0.0/isis-security-file-1.0.0-source-release.zip > >> > > * > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-025/org/apache/isis/security/isis-security-file/1.0.0/isis-security-file-1.0.0-source-release.zip.asc > >> > > wicket viewer: > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-026/org/apache/isis/viewer/isis-viewer-wicket/1.0.0/isis-viewer-wicket-1.0.0-source-release.zip > >> > > * > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-026/org/apache/isis/viewer/isis-viewer-wicket/1.0.0/isis-viewer-wicket-1.0.0-source-release.zip.asc > >> > > restfulobjects viewer > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-027/org/apache/isis/viewer/isis-viewer-restfulobjects/1.0.0/isis-viewer-restfulobjects-1.0.0-source-release.zip > >> > > * > >> > > > >> > > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheisis-027/org/apache/isis/viewer/isis-viewer-restfulobjects/1.0.0/isis-viewer-restfulobjects-1.0.0-source-release.zip.asc > >> > > > >> > > > >> > > > >> > > >> > > > > >
