➢ Should this bother us? Yes and no. The important message is “Good signature from <expected person>”. To validate my key, compare it’s fingerprint with this authoritative database: https://people.apache.org/keys/committer/ . Compare the full 40-character key fingerprint, not just the last 8 characters.
WARNING: In the good old days we used an 8-character (4-byte) fingerprint to id the key, and figured that was sufficient. Well, the MIT Public Key Server (https://pgp.mit.edu/ ) contains evidence that it isn’t. There are fake keys for many Apache people, including myself (!), in there alongside our real ones, with the SAME 8-character fingerprint, signed by fakes of the same people who signed my real one, also with matching 8-char fingerprints. (The fakes were revoked en masse last year when found.) What you have to do is use AT LEAST 16-character and preferably the full 40-character fingerprints, which are exponentially more difficult to fake. The 16-char fingerprint of fake me in the MIT key server (6128A936 ECB31663) is different than my real 16-char fingerprint (4169AA27 ECB31663). The warning about “This key is not certified with a trusted signature” has to do with the state of your personal “web of trust” on your local server, not the state of my signature key. A full technical discussion of the problem from Apache is here: https://www.apache.org/dev/release-signing.html (the info, including definition of “web of trust” and how you get one) and here: https://httpd.apache.org/dev/verification.html (the nasty potential problem with key verification with short fingerprints). The latter doc gives the link to an objective place you can confirm Apache committer keys: https://people.apache.org/keys/committer/ . Apache INFRA has secured this page as best they can. The best thing is still to establish your own web of trust, which mostly can’t be hacked. TL;DR, for a shorter explanation try here: https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature . Basically, a key is only trusted if your and my webs of trust have a trusted overlap. In particular, my key is signed by Owen O’Malley and Mahadev Konar. Your personal gpg key (you have one, right? :-) would have to have signed / been signed by myself and/or one of Owen or Mahadev, in order for my key to be directly “trusted” on your system. This can be expanded through transitive trust, hence the “web” of trust – but you have to have loaded all the trusted keys in between into your keychain or gpg db on your local server. There’s also a possible message “gpg: no ultimately trusted keys found”, which is a matter of whether you’ve expressed that level of trust by manually adding it to your gpg db – which there is no requirement for you to do, although some key generators automatically express “ultimate trust” in your own key when you add it to your keyring. Cheers, --Matt On 6/27/17, 3:04 PM, "Otto Fowler" <[email protected]> wrote: Matt, Should this bother us? gpg: Signature made Tue Jun 27 13:50:58 2017 EDT using RSA key ID ECB31663 gpg: Good signature from "Matthew Foley (CODE SIGNING KEY) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7854 36A7 8258 6B71 829C 67A0 4169 AA27 ECB3 1663 On June 27, 2017 at 14:36:07, Matt Foley ([email protected]) wrote: This is a call to vote on releasing this rc4 as “Apache Metron 0.4.0”. (Note: this is rc4 because the release candidate needed to be modified with another commit after the rc3 tag was pushed to public.) Full list of changes in this release: https://dist.apache.org/repos/dist/dev/metron/0.4.0-RC4/RELEASE_NOTES The tag/commit to be voted upon is: d52f574f8294e453ecad3871526858a0c3c2033d (tag apache-metron-0.4.0-rc4) The source archive being voted upon can be found here: https://dist.apache.org/repos/dist/dev/metron/0.4.0-RC4/apache-metron-0.4.0-rc4.tar.gz and in github at: https://github.com/apache/metron/tree/Metron_0.4.0 Other release files, signatures and digests can be found here: https://dist.apache.org/repos/dist/dev/metron/0.4.0-RC4/KEYS The release artifacts are signed with the following key: https://dist.apache.org/repos/dist/dev/metron/0.4.0-RC4/KEYS pub rsa4096/4169AA27ECB31663 2011-07-31 [SCEA] Key fingerprint = 7854 36A7 8258 6B71 829C 67A0 4169 AA27 ECB3 1663 uid = Matthew Foley (CODE SIGNING KEY) <[email protected]> Please vote on releasing this package as Apache Metron 0.4.0. When voting, please list the actions taken to verify the release. Recommended build validation and verification instructions are posted here: https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds This vote will be open for at least 72 hours. Please vote one of the following responses: +1 Release this package as Apache Metron 0.4.0-RC4 0 No opinion -1 Do not release this package because... Thank you, --Matt (your friendly release manager)
