For tracking the [TESTING] of the 4.1.2-patch1 binary for windows, I have created task Issue 127065, <https://bz.apache.org/ooo/show_bug.cgi?id=127065>. Comment 7 there already speaks to the untrusted identification situation.
I am adding an abridged version of this message from Carl with the part relevant to certificate trust. Note that most of us who have worked on 4.1.2-patch1 and provided digital signatures will find that identity will be reported as untrusted based on the Web-of-Trust technique PGP software uses. We can, of course, verify the fingerprints and Apache account identity and certify each other. That will change the status for those of us in this particular circle but not necessarily for anyone who does not already trust the identification of enough of us. I don't think there is any way to get into this in our README files. However, this is useful for any future contributions we might make to the page at <http://www.apache.org/dev/release-signing.html> or anything supplemental that is oriented to the users of Apache OpenOffice and their particular range of skills. > -----Original Message----- > From: Carl Marcum [mailto:cmar...@apache.org] > Sent: Friday, August 5, 2016 03:30 > To: d...@openoffice.apache.org > Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows > > On 08/04/2016 06:52 PM, Marcus wrote: > > Am 08/05/2016 12:26 AM, schrieb Kay Schenk: > >> On 08/04/2016 02:21 PM, Marcus wrote: [ ... ] > >>>> * apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc > >>> > >>> I don't know if this is OK or still bad: > >>> > >>> gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc > >>> apache-openoffice-4.1.2-patch1-apply-Win_x86.zip > >>> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key > ID > >>> D456628A > >>> gpg: Good signature from "keybase.io/orcmid (confirmed identifier) > >>> <orc...@keybase.io>" > >>> gpg: aka "orcmid (Dennis E. > Hamilton)<orc...@msn.com>" > >>> gpg: aka "orcmid Apache (code > >>> signing)<orc...@apache.org>" > >>> gpg: aka "Dennis E. Hamilton (orcmid) > >>> <dennis.hamil...@acm.org>" > >>> gpg: WARNING: This key is not certified with a trusted signature! > >>> gpg: There is no indication that the signature belongs to > the > >>> owner. > >> > >> I get this on sig checks also. There's probably a step we're missing > to > >> specify "trust" locally. > >> > >> See: > >> http://www.apache.org/dev/release-signing.html > > > > signing Dennis' key locally worked for me. > On Linux I use: > gpg --default-key 9553BF9A --sign-key D456628A > > If the key you want to sign it with is already the default key you can > omit the "--default-key 9553BF9A" part. > Sometimes you may have to prefix the ID's with "0x" to denote hex. > > If you trust this is Dennis' key you can send his key back with your sig > now attached and it will have more trust. > gpg --send-key 0xD456628A > > If a few people do it the warning should go away. Web-of-trust :) > > Carl [orcmid] The warning will go away for us who have created a mutual Web-of-Trust but it won't help those who are not in that circle or have not somehow determined to trust in it themselves. This is still useful advice about how to do it. PS: I don't think the dist-level KEYS file is updated automatically, so the release KEYS set needs to be refreshed to work. (We can check that by waiting for a while to see if Carl's trust of Dennis's key shows up.) --------------------------------------------------------------------- To unsubscribe, e-mail: qa-unsubscr...@openoffice.apache.org For additional commands, e-mail: qa-h...@openoffice.apache.org
