Re: [general] signing releases.

Wed, 14 Jul 2004 14:35:29 -0700

each person decides which keys they trust. when you encounter a signature from a key that isn't within your key of trust, there's a warning. the main purpose is to prevent confusion between a trusted key (that you've already marked thus) and a signature from another untrusted key with the similar details. it is very easy to decide to trust another key. if you do so before you verify the signature, you'll get the ok message instead.

what i do is have a code signing user with a code signing key who does the signing. i make sure that i have very high verification standards (face-to-face) for that key ring (since when the key is uploaded to the ASF server, the trust web goes as well). for verification, i use a user who key ring has a load of apache code signing keys on (including my own) which i've marked as trusted. so, when i verify the signature, i get a pleasant message.

- robert

On 14 Jul 2004, at 21:31, Stephen Colebourne wrote:

Yes, its what everyone else is doing ;-)
Stephen

----- Original Message -----
From: "Gary Gregory" <[EMAIL PROTECTED]>
Hm, should I proceed with codec 1.3 "signing" and releasing then?
Signing in quotes since my key is unconfirmed.

Gary

-----Original Message-----
From: robert burrell donkin
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 14, 2004 12:12
To: Jakarta Commons Developers List
Subject: Re: [general] signing releases.

On 14 Jul 2004, at 08:53, Stephen Colebourne wrote:

I believe this means that your key is unconfirmed. The system
appears 
to be
that you need somebody who knows you and has a confirmed key to be
able to
confirm your key. ie. its a 'web of trust', with each confirmed key
proven
by somebody else. My key isn't confirmed either. Al IIRC.


+1

i've had to answer this one a few times for users who've emailed me
directly. we're in the process of reviewing the jakarta download pages
and maybe there'd be a good argument for adding some documentation
somewhere.

i thought that has crossed my mind is that maybe the commons could
lead 
the way by having a page containing fingerprints for our code signing
keys.

- robert


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to