Re: [VOTE] Release Apache MINA SSHD 2.17.1

Sat, 24 Jan 2026 09:48:47 -0800 



On 23/01/2026 17:51, Thomas Wolf wrote:

On 23.01.26 09:33, Emmanuel Lecharny wrote:

Hi Thomas,


you seem to have cut the release, as it's signed by you. However I 
can't find you key (594ABF33ED102DF53F83CE43CFBB963ECC4F9C3A) on the 
MIT public key server.


Here is the message I receives when checking the key:



$ gpg --verify apache-sshd-2.17.1-src.tar.gz.asc apache-sshd-2.17.1- 
src.tar.gz

gpg: Signature made jeu. 22 janv. 2026 20:50:21 CET

gpg:                using EDDSA key 
594ABF33ED102DF53F83CE43CFBB963ECC4F9C3A

gpg: Good signature from "Thomas Wolf <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 2D06 E413 26CC 1A82 58B1  937C 081C A8E4 186A 
A7B6
      Subkey fingerprint: 594A BF33 ED10 2DF5 3F83  CE43 CFBB 963E 
CC4F 9C3A



In the mina root the KEYS file contains this:

gpg: key 081CA8E4186AA7B6: "Thomas Wolf <[email protected]>" not changed



I'm wondering if you have recently changed your key and forgot to 
update it in KEYS?


No. Same key as for the past releases.

But the key is self-signed.


I think gpg did find my key all right, but then warns you about it being 
self-signed. It has no third-party signature by any key you trust.


Ok, makes sense.


Once upon a time, The ASF was organizing key signing party, where a few 
tens of Apache people were signing each other's key. I don't know if 
it's still a thing...





For what it's worth, I had published the key on the openpgp and ubuntu 
key servers.



Found it. I was looking for it in the MIT key server (which is notably 
lagging, it makes sense to have chose a better alternative.





If anyone doubts it's my key they can check in the SVN history who added
it to the KEYS file.



No doubt, especially as we can cross-check with the SHA512 signature anyway.

Thanks Thomas!



Cheers,

   Thomas


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



--
------------------------
Emmanuel Lécharny
[email protected]
[email protected]
------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to