Hi Myrna, Hi kathy, Thanks for your reply. I read what you pointed out to me and I thought I understood what Knut Anders mentioned. Accordingly I executed what was suggested, but I am left with the same message as I posted the second time:
[tsa...@vixen Derby]$ gpg --refresh-keys gpg: refreshing 24 keys from hkp://subkeys.pgp.net gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" 3 new signatures gpg: key 37AA956A: "Myrna van Lunteren <[email protected]>" not changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <[email protected]>" 13 new signatures gpg: key 88D83722: "Andreas Korneliussen <[email protected]>" 1 new user ID gpg: key 88D83722: "Andreas Korneliussen <[email protected]>" 12 new signatures gpg: can't get key from keyserver: Connection timed out gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <[email protected]>" 19 new signatures gpg: key 98E21827: "Rick Hillegas <[email protected]>" 7 new signatures gpg: key B1669287: "Kathey Marsden <[email protected]>" not changed gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <[email protected]>" 2 new user IDs gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <[email protected]>" 98 new signatures gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <[email protected]>" not changed gpg: can't get key from keyserver: Connection timed out gpg: key AB821FBC: "Andrew McIntyre <[email protected]>" 3 new user IDs gpg: key AB821FBC: "Andrew McIntyre <[email protected]>" 119 new signatures gpg: key AB1B7EE4: "Daniel John Debrunner <[email protected]>" not changed gpg: no valid OpenPGP data found. gpg: key AA0077B0: "Kev Jackson (apache key) <[email protected]>" not changed gpg: key C152431A: "Steve Loughran <[email protected]>" 5 new signatures gpg: can't get key from keyserver: Connection timed out gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer) <[email protected]>" 4 new signatures gpg: key EDF62C35: "Magesh Umasankar <[email protected]>" 1 new signature gpg: key 307A10A5: "Henri Gomez <[email protected]>" 7 new signatures gpg: key 397DCAD5: "Henri Gomez <[email protected]>" 2 new signatures gpg: key 697ECEDD: "Henri Gomez <[email protected]>" 1 new user ID gpg: key 697ECEDD: "Henri Gomez <[email protected]>" 6 new signatures gpg: can't get key from keyserver: Connection timed out gpg: key FEECAAED: "Stefan Bodewig <[email protected]>" 19 new signatures gpg: Total number processed: 19 gpg: unchanged: 5 gpg: new user IDs: 7 gpg: new signatures: 315 [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ echo $? 2 [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ gpg --update-trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 [tsa...@vixen Derby]$ [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A gpg: BAD signature from "Myrna van Lunteren <[email protected]>" [tsa...@vixen Derby]$ It appears that --refresh-keys indeed did stuff, although it took a long time (which is evidenced by "Connection timed out" messages. That said, it didn't seem to have changed the bottom line. I don't like the line: BAD signature from "Myrna van Lunteren <[email protected]>" It sounds a bit ominous and definite. Perhaps this is not something I should waste more time on? Regards, Tena Sakai [email protected] -----Original Message----- From: Myrna van Lunteren [mailto:[email protected]] Sent: Tue 5/19/2009 3:54 PM To: Derby Discussion Subject: Re: newbie confused about "verifying release" On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <[email protected]> wrote: > Hi, > > I am a newbie and just got started with derby. I was doing what this page > > http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases > instructed. > [...snip...] > Here are responses from the two commands: > [tsa...@vixen Derby]$ gpg --import KEYS [...snip...] > gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" not changed > gpg: Total number processed: 13 > gpg: unchanged: 13 > [tsa...@vixen Derby]$ > [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc > gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID > 37AA956A > gpg: Good signature from "Myrna van Lunteren <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA > 956A > [tsa...@vixen Derby]$ > > What I don't understand is at the bottom: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > Can someone please clue me in? Is this good, bad, neutral? > Should I do something (and if so, what)? Should I ignore and move on? > > Thank you in advance. > > Regards, > > Tena Sakai > [email protected] You're not the first to ever have been confused by this. There was a thread on our derby-developers list on this issue a long time ago, re 10.4.2.0, see: http://www.mail-archive.com/[email protected]/msg62800.html Knut Anders' response in the final mail on that thread is helpful; " Note that gpg told you that the signature was good. What it warned you about, was that you didn't trust anyone who had signed Rick's key. You can update your trust db with "gpg --update-trustdb"." In this case, it appears it is *my* signature that is not known by 'you' or anyone 'you' (your pgp program, that is) know. But as I understand it, that's still ok. Myrna
