Mike you probably participated in a Keysigning party and John has not. Look up keysigning on www.Apache.org and have a “party” to sign his key. If that’s not possible right now that’s ok.
Sent from my iPhone > On Mar 18, 2022, at 1:27 PM, Mike Beckerle <[email protected]> wrote: > > When verifying GPG signatures recently I got this warning: > > gpg --verify ./apache-daffodil-3.3.0-1.noarch.rpm.asc > ./apache-daffodil-3.3.0-1.noarch.rpm > gpg: Signature made Thu 17 Mar 2022 04:12:45 PM EDT > gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 > gpg: Good signature from "John Interrante (Code Signing Key) < > [email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 8584 9EC0 3742 62C7 110C A744 04A7 35FC 1A36 AE84 > PASSED GPG Signature Check > > Note the WARNING in the above. > > When I verify the 3.2.1 source jar (which I signed) I get: > > gpg --verify apache-daffodil-3.2.1-src.zip.asc > apache-daffodil-3.2.1-src.zip > gpg: Signature made Mon 20 Dec 2021 12:18:16 PM EST > gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF > gpg: Good signature from "Michael J. Beckerle (Code Signing Key) < > [email protected]>" [ultimate] > > No warning. > > So there is something different about the way my code signing key was > established. > > Mike Beckerle > Apache Daffodil PMC | daffodil.apache.org > OGF DFDL Workgroup Co-Chair | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl > Owl Cyber Defense | www.owlcyberdefense.com
