On Tue, Apr 5, 2022 at 7:19 PM Mark Phippard <markp...@gmail.com> wrote:
> On Tue, Apr 5, 2022 at 4:49 PM Johan Corveleyn <jcor...@gmail.com> wrote: > > > > Thanks all for sharing your gpg key hurdles. It saved me a lot of time > > when I ran into the same issues while verifying Mark's signature :-). > > > > 1. Signature algorithm not recognized > > -> updated my gpg to latest version (2.3.4) > > When I was faced with that prompt to create the key I was thinking i > should just choose RSA but so many of the docs say not to use it. > > > > > 2. keyserver problem when running 'gpg --refresh-keys' > > -> put 'keyserver hkp://keyserver.ubuntu.com' into my > > %APPDATA%/gnupg/gpg.conf like Julian did > > > > 3. Mark's key unknown > > -> executed 'gpg --recv-key EC25FCC105618D04ADB43429C4416167349A3BCB' to > get it > > > > 4. Signature verified OK, but Mark's key not trusted, which, as Nathan > > also said, is normal because it hasn't been crossed-signed by anyone > > in my "web of trust". Okay, it's in the KEYS file (i.e. part of the > > Apache records for Mark's id). This is as good as we can do, so +1. > > I am surprised that you all try to verify to this depth. I always just > treated the signatures like a slightly better sha1 and did a simple > gpg --verify to see if the signature was valid? Did you all cross sign > each other's keys at one of the old developer meetups or something? gpg --verify checks if the key is in your web of trust automatically and prints a warning if not, so it wasn't anything special we had to do. Perhaps other SVN devs crossed signed each other's keys in past hackathons but mine isn't cross signed yet. In fact I was just contemplating trying to get to an Apachecon one of these days and going to a keysigning party. Alternatively there are various local Linux and BSD groups I've been wanting to check out. That might be a possibility for others who want to expand their web of trust without having to travel out of town. Cheers, Nathan
