Anyway, +1 binding I checked: - Download links are valid - Checksums is valid - Signature is valid - LICENSE and NOTICE files - make setup successfully
Zexuan Luo <spacewan...@apache.org> 于2021年8月27日周五 下午3:28写道: > > I got: > gpg --verify apisix-python-plugin-runner-0.1.0-src.tgz.asc > gpg: assuming signed data in 'apisix-python-plugin-runner-0.1.0-src.tgz' > gpg: Signature made 2021年08月26日 星期四 20时00分35秒 CST > gpg: using RSA key 147CD2ABFA330EC56E4BABF927263EFDC64AACA1 > gpg: Good signature from "JinChao Shuai <shuaijinc...@apache.org>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 147C D2AB FA33 0EC5 6E4B ABF9 2726 3EFD C64A ACA1 > > Look like we need to trust the new key: https://serverfault.com/a/569923 > > JinChao Shuai <shuaijinc...@apache.org> 于2021年8月27日周五 下午1:17写道: > > > > 2. Checksums and signatures steps > > The KEYS file download address is from > > wget https://dist.apache.org/repos/dist/release/apisix/KEYS > > Change to > > wget https://dist.apache.org/repos/dist/dev/apisix/KEYS > > Reload the public key via `gpg --import KEYS`, and then verify it. > > > > JinChao Shuai <shuaijinc...@apache.org> 于2021年8月27日周五 下午12:04写道: > > > > > KEYS has been updated, please download the KEYS file again, and import and > > > verify it through `gpg --import KEYS`. > > > > > > Zhiyuan Ju <juzhiy...@apache.org> 于2021年8月27日周五 上午11:17写道: > > > > > >> Hi, > > >> > > >> When I try to import KEYS and trust it, GPG tells me `No public key`, do > > >> I > > >> miss something? > > >> > > >> Best Regards! > > >> @ Zhiyuan Ju <https://github.com/juzhiyuan> > > >> > > >> > > >> Zexuan Luo <spacewan...@apache.org> 于2021年8月27日周五 上午11:13写道: > > >> > > >> > BTW, I have run "gpg --import KEYS" and confirmed that the key from > > >> > Jinchao Shuai doesn't change. > > >> > > > >> > Zexuan Luo <spacewan...@apache.org> 于2021年8月27日周五 上午11:02写道: > > >> > > > > >> > > I checked: > > >> > > - Download links are valid > > >> > > - Checksums is valid > > >> > > - LICENSE and NOTICE files > > >> > > - make setup successfully > > >> > > > > >> > > When I run "gpg --verify > > >> apisix-python-plugin-runner-0.1.0-src.tgz.asc", > > >> > I got: > > >> > > gpg: assuming signed data in > > >> 'apisix-python-plugin-runner-0.1.0-src.tgz' > > >> > > gpg: Signature made 2021年08月26日 星期四 20时00分35秒 CST > > >> > > gpg: using RSA key > > >> > 147CD2ABFA330EC56E4BABF927263EFDC64AACA1 > > >> > > gpg: Can't check signature: No public key > > >> > > > > >> > > Maybe I miss something? > > >> > > > >> > > > > > > > > > -- > > > Thanks, > > > Janko > > > > > > > > > -- > > Thanks, > > Janko
