On 14 August 2015 at 20:11, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote:
> I'm sorry that my question was unclear. It was not that I didn't know how > to find Jan's public key. My question is how any third party could > determine who the release manager is and how to find an authentic version > of that committer's public key for verifying the signature on an alleged > release (candidate). > Well it is easy, try to verify the zip file, then it will tell you my name. Some projects to also add a KEYS files on dist together with the release, it is something we can consider. > > I know how to find that public key, although apparently it does not > correspond to the private key that was used [;<). > it does now, follow the guide I wrote to you. It also did before, if you downloaded from the keys server. (seems you have an old asc file). rgds jan i. > > - Dennis > > -----Original Message----- > From: Peter Kelly [mailto:pmke...@apache.org] > Sent: Friday, August 14, 2015 10:22 > To: dev@corinthia.incubator.apache.org > Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1 > > > On 14 Aug 2015, at 11:23 pm, Dennis E. Hamilton <dennis.hamil...@acm.org> > wrote: > > > > Please provide an authoritative ASF location of the public key to use > for checking the signature. It would be something like a continuously > verified key on this list: <https://people.apache.org/keys/committer/>. > > https://people.apache.org/keys/committer/jani.asc > > — > Dr Peter M. Kelly > pmke...@apache.org > > PGP key: http://www.kellypmk.net/pgp-key <http://www.kellypmk.net/pgp-key> > (fingerprint 5435 6718 59F0 DD1F BFA0 5E46 2523 BAA1 44AE 2966) > > >
