On Tue, Mar 11, 2014 at 11:32:41AM +0000, Peter Maydell wrote: > On 11 March 2014 11:22, Michael S. Tsirkin <m...@redhat.com> wrote: > > BTW I still see these warnings in the logs: > > # gpg: WARNING: This key is not certified with a trusted signature! > > # gpg: There is no indication that the signature belongs to > > # the > > > > These seem counter-productive: people get used > > to ignoring the warnings. > > A bunch of people verified my key at the latest KVM forum > > so how about importing keys from contributors > > and denying pulls where keys don't match? > > That won't help with removing the warning. What gpg > is saying here is "I found this key in the keyring, > and the signature checks out, but there's no chain > of trust between the person who applied the pull > and that key". That is, I haven't signed your key.
Okay ... would you like to sign it? Didn't you go to the key signing party at the forum? If yes you have all the data :) > The other kind of warning is: > # gpg: Signature made Sat 08 Mar 2014 21:26:01 GMT using RSA key ID > 5872D723 > # gpg: Can't check signature: public key not found > > which means "I didn't find the gpg key in the keyring". > > Genuinely mismatching signatures would be a gpg > error rather than a mere warning, I think. > > Since we're still accepting unsigned pullrequests > I don't think this matters too much. In either case > if somebody really cares later they can attempt to > establish a chain of trust between themselves and the > submitter after the fact, I guess. But the commit log will include the warning forever I think? > Personally I think the next step we should take would > be to get all the people currently submitting unsigned > pull requests to move over to signing them. > > thanks > -- PMM I think this was agreed on the forum so you can start enforcing this straight away if you wish :) -- MST