On 12/27/06, Rahul Akolkar <[EMAIL PROTECTED]> wrote:
On 12/27/06, Craig McClanahan <[EMAIL PROTECTED]> wrote: <snip/> > > > > Done, I've added my signature to the master pom v2 in the staging > > repo. My key is here [1] amongst other places (I intend to add a > > generic UID before 1.0.4). > > > > Please verify the sig (and m2 sums). TIA. > > > The md5 and sha1 checksums are fine. When I try to verify the signature, > though: > > gpg --verify shale-master-2.pom.asc shale-master-2.pom > > I get the "Can't check signature: public key not found" error. I see that > your key is available (at least) on the MIT keyserver ... what's the magic > incantation for using such a key (without adding it to my web of trust yet > ... we should probably start doing key exchanges at events like ApacheCons)? > <snap/> If you save that public key block that the MIT server spits out as KEYS, and then a: gpg --import KEYS should do what you want. The key won't be trusted until we sign each others (or some mutually trusted key signs both etc.). On the --verify bit, you will get "key is not trusted" message after the "Good Signature" message.
Yep ... that worked. I got the "good signature" and "untrusted" messages. I should have mentioned also what Wendy said ... we should follow the best practice of maintaining our KEYS file in SVN ... if I remember right, it's only on the website at the moment. -Rahul Craig
> -Rahul > > > Craig > > > [1] http://people.apache.org/~rahul/rahul.asc > > > > > > > -Rahul > > > > > > > > > >