On 12/27/06, Craig McClanahan <[EMAIL PROTECTED]> wrote: <snip/>
> > Done, I've added my signature to the master pom v2 in the staging > repo. My key is here [1] amongst other places (I intend to add a > generic UID before 1.0.4). > > Please verify the sig (and m2 sums). TIA.The md5 and sha1 checksums are fine. When I try to verify the signature, though: gpg --verify shale-master-2.pom.asc shale-master-2.pom I get the "Can't check signature: public key not found" error. I see that your key is available (at least) on the MIT keyserver ... what's the magic incantation for using such a key (without adding it to my web of trust yet ... we should probably start doing key exchanges at events like ApacheCons)?
<snap/> If you save that public key block that the MIT server spits out as KEYS, and then a: gpg --import KEYS should do what you want. The key won't be trusted until we sign each others (or some mutually trusted key signs both etc.). On the --verify bit, you will get "key is not trusted" message after the "Good Signature" message. -Rahul
-Rahul Craig [1] http://people.apache.org/~rahul/rahul.asc > > > > -Rahul > > > > >
