Hi, Confusion part 2:
I untar'ed the tree and found a file called KEYS in the src directory. I used this set of keys to do the same thing as before. Here's the response: [tsa...@vixen Derby]$ gpg --import KEYS gpg: key AB1B7EE4: "Daniel John Debrunner <[email protected]>" not changed gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <[email protected]>" not changed gpg: key 21EA3ECD: "Mike Matrigali <[email protected]>" not changed gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <[email protected]>" not changed gpg: key 99586C26: "Jean T. Anderson <[email protected]>" not changed gpg: key B1669287: "Kathey Marsden <[email protected]>" not changed gpg: key 98E21827: "Rick Hillegas <[email protected]>" not changed gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <[email protected]>" not changed gpg: key 990ED4AA: "Knut Anders Hatlen <[email protected]>" not changed gpg: key 88D83722: "Andreas Korneliussen <[email protected]>" not changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <[email protected]>" not changed gpg: key 37AA956A: "Myrna van Lunteren <[email protected]>" not changed gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" not changed gpg: Total number processed: 13 gpg: unchanged: 13 [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A gpg: BAD signature from "Myrna van Lunteren <[email protected]>" [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ echo $? 1 [tsa...@vixen Derby]$ The first command returned exactly the same response as previous invocation. (I diff'ed them.) But if the "import" didn't change anything, then why should the 2nd command return something different from the previous run? In any event, if someone can help me under- stand what I am understanding, I would appreciate it. Regards, Tena Sakai [email protected] -----Original Message----- From: Tena Sakai [mailto:[email protected]] Sent: Tue 5/19/2009 2:43 PM To: [email protected] Subject: newbie confused about "verifying release" Hi, I am a newbie and just got started with derby. I was doing what this page http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases instructed. The host is a redhat linux. uname -vro returns: 2.6.9-78.0.1.ELsmp #1 SMP Tue Jul 22 18:01:05 EDT 2008 GNU/Linux Here are responses from the two commands: [tsa...@vixen Derby]$ gpg --import KEYS gpg: key AB1B7EE4: "Daniel John Debrunner <[email protected]>" not changed gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <[email protected]>" not changed gpg: key 21EA3ECD: "Mike Matrigali <[email protected]>" not changed gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <[email protected]>" not changed gpg: key 99586C26: "Jean T. Anderson <[email protected]>" not changed gpg: key B1669287: "Kathey Marsden <[email protected]>" not changed gpg: key 98E21827: "Rick Hillegas <[email protected]>" not changed gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <[email protected]>" not changed gpg: key 990ED4AA: "Knut Anders Hatlen <[email protected]>" not changed gpg: key 88D83722: "Andreas Korneliussen <[email protected]>" not changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <[email protected]>" not changed gpg: key 37AA956A: "Myrna van Lunteren <[email protected]>" not changed gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" not changed gpg: Total number processed: 13 gpg: unchanged: 13 [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A gpg: Good signature from "Myrna van Lunteren <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A [tsa...@vixen Derby]$ What I don't understand is at the bottom: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Can someone please clue me in? Is this good, bad, neutral? Should I do something (and if so, what)? Should I ignore and move on? Thank you in advance. Regards, Tena Sakai [email protected]
