Tena, I guess your download is broken. If I do the same, I get a GOOD signature:
k...@pckurt:~/Install/Java$ LANG=en gpg --verify db-derby-10.5.1.1- src.tar.gz.asc gpg: Signature made Tue Apr 14 23:27:52 2009 CEST using DSA key ID 37AA956A gpg: Good signature from "Myrna van Lunteren <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A You should verify the download with MD5: k...@pckurt:~/Install/Java$ md5sum db-derby-10.5.1.1-src.tar.gz f5c2d8c6546757243e2c8cf79fd944fe db-derby-10.5.1.1-src.tar.gz k...@pckurt:~/Install/Java$ cat db-derby-10.5.1.1-src.tar.gz.md5 F5C2D8C6546757243E2C8CF79FD944FE Regarding the warning: as the others pointed out, you do not know if you have downloaded the original key of Myrna or a faked copy. Everybody can create a key that reads "Myrna van Lunteren <[email protected]>". Therefore there is something called the "web of trust" where people verify the correctness of a key and do a digital signature on it. For example if you'd trust my GPG key and I'd sign Myrna's key, then you could verify that you downloaded the correct key by verifying my signature on the key you downloaded, because this is something that noone can fake. http://en.wikipedia.org/wiki/Web_of_Trust On Wednesday 20 May 2009 04:22:40 Tena Sakai wrote: > Hi Myrna, > Hi kathy, > > Thanks for your reply. I read what you pointed out to me and > I thought I understood what Knut Anders mentioned. Accordingly > I executed what was suggested, but I am left with the same > message as I posted the second time: > > [tsa...@vixen Derby]$ gpg --refresh-keys > gpg: refreshing 24 keys from hkp://subkeys.pgp.net > gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" 3 new signatures > gpg: key 37AA956A: "Myrna van Lunteren <[email protected]>" not > changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) > <[email protected]>" 13 new signatures gpg: key 88D83722: "Andreas > Korneliussen <[email protected]>" 1 new user ID gpg: key 88D83722: > "Andreas Korneliussen <[email protected]>" 12 new signatures gpg: can't > get key from keyserver: Connection timed out > gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) > <[email protected]>" 19 new signatures gpg: key 98E21827: "Rick Hillegas > <[email protected]>" 7 new signatures gpg: key B1669287: "Kathey Marsden > <[email protected]>" not changed gpg: key 99586C26: "Jean T. Anderson > (IBM) (adding IBM email) <[email protected]>" 2 new user IDs gpg: key > 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <[email protected]>" > 98 new signatures gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby > Project) <[email protected]>" not changed gpg: can't get key from > keyserver: Connection timed out > gpg: key AB821FBC: "Andrew McIntyre <[email protected]>" 3 new user > IDs gpg: key AB821FBC: "Andrew McIntyre <[email protected]>" 119 new > signatures gpg: key AB1B7EE4: "Daniel John Debrunner <[email protected]>" > not changed gpg: no valid OpenPGP data found. > gpg: key AA0077B0: "Kev Jackson (apache key) <[email protected]>" not > changed gpg: key C152431A: "Steve Loughran <[email protected]>" 5 new > signatures gpg: can't get key from keyserver: Connection timed out > gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer) > <[email protected]>" 4 new signatures gpg: key EDF62C35: "Magesh Umasankar > <[email protected]>" 1 new signature gpg: key 307A10A5: "Henri Gomez > <[email protected]>" 7 new signatures gpg: key 397DCAD5: "Henri > Gomez <[email protected]>" 2 new signatures gpg: key 697ECEDD: > "Henri Gomez <[email protected]>" 1 new user ID gpg: key 697ECEDD: "Henri > Gomez <[email protected]>" 6 new signatures gpg: can't get key from > keyserver: Connection timed out > gpg: key FEECAAED: "Stefan Bodewig <[email protected]>" 19 new > signatures gpg: Total number processed: 19 > gpg: unchanged: 5 > gpg: new user IDs: 7 > gpg: new signatures: 315 > [tsa...@vixen Derby]$ > [tsa...@vixen Derby]$ echo $? > 2 > [tsa...@vixen Derby]$ > [tsa...@vixen Derby]$ gpg --update-trustdb > gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 > [tsa...@vixen Derby]$ > [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc > gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID > 37AA956A gpg: BAD signature from "Myrna van Lunteren > <[email protected]>" [tsa...@vixen Derby]$ > > It appears that --refresh-keys indeed did stuff, although it took > a long time (which is evidenced by "Connection timed out" messages. > That said, it didn't seem to have changed the bottom line. I don't > like the line: > BAD signature from "Myrna van Lunteren <[email protected]>" > It sounds a bit ominous and definite. > > Perhaps this is not something I should waste more time on? > > Regards, > > Tena Sakai > [email protected] > > > -----Original Message----- > From: Myrna van Lunteren [mailto:[email protected]] > Sent: Tue 5/19/2009 3:54 PM > To: Derby Discussion > Subject: Re: newbie confused about "verifying release" > > On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <[email protected]> wrote: > > Hi, > > > > I am a newbie and just got started with derby. I was doing what this > > page > > > > http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releas > >es instructed. > > [...snip...] > > > Here are responses from the two commands: > > [tsa...@vixen Derby]$ gpg --import KEYS > > [...snip...] > > > gpg: key FFCCF7B1: "Dyre Tjeldvoll <[email protected]>" not changed > > gpg: Total number processed: 13 > > gpg: unchanged: 13 > > [tsa...@vixen Derby]$ > > [tsa...@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc > > gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID > > 37AA956A > > gpg: Good signature from "Myrna van Lunteren <[email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA > > 956A > > [tsa...@vixen Derby]$ > > > > What I don't understand is at the bottom: > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > > > Can someone please clue me in? Is this good, bad, neutral? > > Should I do something (and if so, what)? Should I ignore and move on? > > > > Thank you in advance. > > > > Regards, > > > > Tena Sakai > > [email protected] > > You're not the first to ever have been confused by this. There was a > thread on our derby-developers list on this issue a long time ago, re > 10.4.2.0, see: > http://www.mail-archive.com/[email protected]/msg62800.html > > Knut Anders' response in the final mail on that thread is helpful; > " Note that gpg told you that the signature was good. What it > warned you about, was that you didn't trust anyone who had signed Rick's > key. You can update your trust db with "gpg --update-trustdb"." > > In this case, it appears it is *my* signature that is not known by > 'you' or anyone 'you' (your pgp program, that is) know. But as I > understand it, that's still ok. > > Myrna -- Mit freundlichen Grüßen Kurt Huwig (Vorstand) Telefon 0681 / 3 72 00 36 - 50 http://www.iku-ag.de/ Telefax 0681 / 3 72 00 36 - 59 iKu Systemhaus AG, Altenkesseler Straße 17/Gebäude C1, 66115 Saarbrücken Amtsgericht: Saarbrücken, HRB 13240 Vorstand: Kurt Huwig Aufsichtsratsvorsitzender: Jan Bankstahl GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468
signature.asc
Description: This is a digitally signed message part.
