thx for this, Jeroen. Per Robert's email earlier in this thread, and also one small thing that Mark Stru noticed (off-list), I'll need to go round the loop again. So put some time aside again later in the week and hopefully next time the release will go thru...
Cheers Dan On 18 December 2012 21:44, Jeroen van der Wal <jer...@stromboli.it> wrote: > A big +1 > > Everything went smooth and successfully. And thumps up for the > documentation on Isis site! > > > On Tue, Dec 18, 2012 at 9:29 PM, Dan Haywood > <d...@haywood-associates.co.uk>wrote: > > > other interesting reading: http://people.apache.org/~henkp/trust/ > > > > you might also say that the public key might be trusted because it is > > listed on the committers' index, http://people.apache.org/list_H.html > > > > > > > > On 18 December 2012 20:25, Dan Haywood <d...@haywood-associates.co.uk> > > wrote: > > > > > I guess the trust comes from the fact that the KEYS file - which is > > > downloaded from the Isis repo - contains the public key which does > verify > > > against the private key I used to sign the release. > > > > > > The message that it isn't trusted should be interpreted as it doesn't > > link > > > to a trusted root CA. > > > > > > I wonder if you had countersigned my key whether you would see the > > message > > > (on the basis that you presumably trust your own self-signed key)? > > > > > > > > > > > > On 18 December 2012 20:20, Jeroen van der Wal <jer...@stromboli.it> > > wrote: > > > > > >> Ok, following this procedure omits the need to specify a keyserver. > > Still > > >> untrusted though: > > >> > > >> gpg --import ~/Development/apache-isis/KEYS > > >> gpg: key 2FDB81B1: public key "Mark Struberg (Apache) < > > >> strub...@apache.org>" > > >> imported > > >> gpg: key 77AD2E23: "Dan Haywood (CODE SIGNING KEY) < > > danhayw...@apache.org > > >> >" > > >> not changed > > >> gpg: key 61459F7A: public key "Mohammad Nour (Personal GMail) < > > >> nour.moham...@gmail.com>" imported > > >> gpg: key 5124D1AB: "Jeroen Christiaan van der Wal (CODE SIGNING KEY) < > > >> jcvander...@apache.org>" not changed > > >> gpg: Total number processed: 4 > > >> gpg: imported: 2 (RSA: 2) > > >> gpg: unchanged: 2 > > >> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > > >> gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u > > >> gpg: next trustdb check due at 2015-08-18 > > >> Katla:isis jvanderwal$ gpg --verify --keyserver > > >> pgp.mit.eduisis-1.0.0-source-release.asc isis-1.0.0-source-release.zip > > >> gpg: Signature made Sat 15 Dec 19:50:19 2012 CET using RSA key ID > > 77AD2E23 > > >> gpg: Good signature from "Dan Haywood (CODE SIGNING KEY) < > > >> danhayw...@apache.org>" > > >> gpg: WARNING: This key is not certified with a trusted signature! > > >> gpg: There is no indication that the signature belongs to the > > >> owner. > > >> Primary key fingerprint: 60A6 847D 011F E674 7D8B E60D 76D7 491A 77AD > > >> 2E23 > > >> > > >> > > >> > > >> On Tue, Dec 18, 2012 at 9:09 PM, Dan Haywood > > >> <d...@haywood-associates.co.uk>wrote: > > >> > > >> > On 18 December 2012 20:02, Jeroen van der Wal <jer...@stromboli.it> > > >> wrote: > > >> > > > >> > > > > >> > > In the output I also noticed that Dan's key is not trusted: > > >> > > > > >> > > > > >> > Um, it *is* trusted, in that it is counter-signed by various other > > >> members > > >> > in the ASF web of trust: > > >> > > > >> > > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x76D7491A77AD2E23 > > >> > > > >> > > > >> > I dimly recall that there's a way to import these into your own > > >> certificate > > >> > store, the procedure might be as per [1] > > >> > > > >> > Dan > > >> > > > >> > [1] http://www.apache.org/dev/release-signing.html#keys-policy > > >> > > > >> > > > >> > > > >> > > > >> > > Will continue with further steps. > > >> > > > > >> > > There was an error in the link to the files, fixed below. > > >> > > > > >> > > -Jeroen > > >> > > > > >> > > core: > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-022/org/apache/isis/core/isis/1.0.0/isis-1.0.0-source-release.zip > > >> > > * > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-022/org/apache/isis/core/isis/1.0.0/isis-1.0.0-source-release.zip.asc > > >> > > jdo objectstore: > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-024/org/apache/isis/objectstore/isis-objectstore-jdo/1.0.0/isis-objectstore-jdo-1.0.0-source-release.zip > > >> > > * > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-024/org/apache/isis/objectstore/isis-objectstore-jdo/1.0.0/isis-objectstore-jdo-1.0.0-source-release.zip.asc > > >> > > file security: > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-025/org/apache/isis/security/isis-security-file/1.0.0/isis-security-file-1.0.0-source-release.zip > > >> > > * > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-025/org/apache/isis/security/isis-security-file/1.0.0/isis-security-file-1.0.0-source-release.zip.asc > > >> > > wicket viewer: > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-026/org/apache/isis/viewer/isis-viewer-wicket/1.0.0/isis-viewer-wicket-1.0.0-source-release.zip > > >> > > * > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-026/org/apache/isis/viewer/isis-viewer-wicket/1.0.0/isis-viewer-wicket-1.0.0-source-release.zip.asc > > >> > > restfulobjects viewer > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-027/org/apache/isis/viewer/isis-viewer-restfulobjects/1.0.0/isis-viewer-restfulobjects-1.0.0-source-release.zip > > >> > > * > > >> > > > > >> > > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheisis-027/org/apache/isis/viewer/isis-viewer-restfulobjects/1.0.0/isis-viewer-restfulobjects-1.0.0-source-release.zip.asc > > >> > > > > >> > > > > >> > > > > >> > > > >> > > > > > > > > >
