Yes, it's either that or it's even simpler than that. I see the same warning when verifying Mike's signature:
interran@GH3WPL13E:/u/Downloads$ gpg --verify apache-daffodil-3.2.1-src.zip.asc apache-daffodil-3.2.1-src.zip gpg: Signature made Mon Dec 20 09:18:16 2021 PST gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF gpg: Good signature from "Michael J. Beckerle (Code Signing Key) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4B6A 956D 3ED3 6502 6880 2E37 274B 8F14 13A6 80AF interran@GH3WPL13E:/u/Downloads$ gpg --verify apache-daffodil-3.3.0-src.zip.asc apache-daffodil-3.3.0-src.zip gpg: Signature made Thu Mar 17 13:12:45 2022 PDT gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 gpg: Good signature from "John Interrante (Code Signing Key) <[email protected]>" [ultimate] I haven't participated in a key signing party and I'm not sure where I would get a trust chain to import into my key ring to verify Mike's signature belongs to him. John -----Original Message----- From: Dave Fisher <[email protected]> Sent: Friday, March 18, 2022 1:38 PM To: [email protected] Subject: EXT: Re: GPG signature verification warnings WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe. Mike you probably participated in a Keysigning party and John has not. Look up keysigning on www.Apache.org and have a “party” to sign his key. If that’s not possible right now that’s ok. Sent from my iPhone > On Mar 18, 2022, at 1:27 PM, Mike Beckerle <[email protected]> wrote: > > When verifying GPG signatures recently I got this warning: > > gpg --verify ./apache-daffodil-3.3.0-1.noarch.rpm.asc > ./apache-daffodil-3.3.0-1.noarch.rpm > gpg: Signature made Thu 17 Mar 2022 04:12:45 PM EDT > gpg: using RSA key 85849EC0374262C7110CA74404A735FC1A36AE84 > gpg: Good signature from "John Interrante (Code Signing Key) < > [email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 8584 9EC0 3742 62C7 110C A744 04A7 35FC 1A36 > AE84 PASSED GPG Signature Check > > Note the WARNING in the above. > > When I verify the 3.2.1 source jar (which I signed) I get: > > gpg --verify apache-daffodil-3.2.1-src.zip.asc > apache-daffodil-3.2.1-src.zip > gpg: Signature made Mon 20 Dec 2021 12:18:16 PM EST > gpg: using RSA key 4B6A956D3ED3650268802E37274B8F1413A680AF > gpg: Good signature from "Michael J. Beckerle (Code Signing Key) < > [email protected]>" [ultimate] > > No warning. > > So there is something different about the way my code signing key was > established. > > Mike Beckerle > Apache Daffodil PMC | daffodil.apache.org OGF DFDL Workgroup Co-Chair > | www.ogf.org/ogf/doku.php/standards/dfdl/dfdl > Owl Cyber Defense | www.owlcyberdefense.com
