I'm sorry that my question was unclear. It was not that I didn't know how to find Jan's public key. My question is how any third party could determine who the release manager is and how to find an authentic version of that committer's public key for verifying the signature on an alleged release (candidate).
I know how to find that public key, although apparently it does not correspond to the private key that was used [;<). - Dennis -----Original Message----- From: Peter Kelly [mailto:pmke...@apache.org] Sent: Friday, August 14, 2015 10:22 To: dev@corinthia.incubator.apache.org Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1 > On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <dennis.hamil...@acm.org> > wrote: > > Please provide an authoritative ASF location of the public key to use for > checking the signature. It would be something like a continuously verified > key on this list: <https://people.apache.org/keys/committer/>. https://people.apache.org/keys/committer/jani.asc — Dr Peter M. Kelly pmke...@apache.org PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key> (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966)
