Re: Problem with verifying signature ?
Thank you. On Thu, Sep 6, 2012 at 9:51 AM, Chris Hostetter wrote: > > : gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key > : ID 322 > : D7ECA > : gpg: Good signature from "Robert Muir (Code Signing Key) < > rm...@apache.org>" > : *gpg: WARNING: This key is not certified with a trusted signature!* > : gpg: There is no indication that the signature belongs to the > : owner. > : Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D > 7ECA > : > : Is this acceptable ? > > I guess it depends on what you mean by acceptible? > > I'm not an expert on this, but as i understand it... > > gpg is telling you that it confirmed the signature matches a known key > named "Robert Muir (Code Signing Key)" which is in your keyring, but that > there is no certified level of trust association with that key. > > Key Trust is a personal thing, specific to you, your keyring, and how you > got the keys you put in that ring. if you trust that the KEYS file you > downloaded from apache.org is legitimate, and that all the keys in it > should be trusted, you can tell gpg that. (using the "trust" > interactive command when using --edit-key) > > Alternatively, you could tell gpg that you have a high level of trust in > the key of some other person you have met personally -- ie: if you met Uwe > at a confernce and he physically handed you his key on a USB drive -- and > then if Uwe has signed Robert's key with his own (i think it has, not sure > off the top of my head), then gpg would extend an implicit transitive > trust to Robert's key... > > http://www.gnupg.org/gph/en/manual.html#AEN335 > > > -Hoss >
Re: Problem with verifying signature ?
: gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key : ID 322 : D7ECA : gpg: Good signature from "Robert Muir (Code Signing Key) " : *gpg: WARNING: This key is not certified with a trusted signature!* : gpg: There is no indication that the signature belongs to the : owner. : Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D 7ECA : : Is this acceptable ? I guess it depends on what you mean by acceptible? I'm not an expert on this, but as i understand it... gpg is telling you that it confirmed the signature matches a known key named "Robert Muir (Code Signing Key)" which is in your keyring, but that there is no certified level of trust association with that key. Key Trust is a personal thing, specific to you, your keyring, and how you got the keys you put in that ring. if you trust that the KEYS file you downloaded from apache.org is legitimate, and that all the keys in it should be trusted, you can tell gpg that. (using the "trust" interactive command when using --edit-key) Alternatively, you could tell gpg that you have a high level of trust in the key of some other person you have met personally -- ie: if you met Uwe at a confernce and he physically handed you his key on a USB drive -- and then if Uwe has signed Robert's key with his own (i think it has, not sure off the top of my head), then gpg would extend an implicit transitive trust to Robert's key... http://www.gnupg.org/gph/en/manual.html#AEN335 -Hoss
Re: Problem with verifying signature ?
Thank you Hoss. I imported the KEYS file using *gpg --import KEYS.txt*. Then I did the *--verify* again. This time I get an output like this: gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key ID 322 D7ECA gpg: Good signature from "Robert Muir (Code Signing Key) " *gpg: WARNING: This key is not certified with a trusted signature!* gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D 7ECA Is this acceptable ? Thanks On Wed, Sep 5, 2012 at 5:38 PM, Chris Hostetter wrote: > : I download solr 4.0 beta and the .asc file. I use gpg4win and type this > in > : the command line: > : > : >gpg --verify file.zip file.asc > : > : I get a message like this: > : > : *gpg: Can't check signature: No public key* > > you can verify the asc sig file using the public KEYS file hosted on the > main apache download site (do not trust asc or KEYS from a download > mirror, that defeats the point) > > > https://www.apache.org/dist/lucene/solr/KEYS > > > > -Hoss >
Re: Problem with verifying signature ?
: I download solr 4.0 beta and the .asc file. I use gpg4win and type this in : the command line: : : >gpg --verify file.zip file.asc : : I get a message like this: : : *gpg: Can't check signature: No public key* you can verify the asc sig file using the public KEYS file hosted on the main apache download site (do not trust asc or KEYS from a download mirror, that defeats the point) https://www.apache.org/dist/lucene/solr/KEYS -Hoss