I can see that stack's signature is signed by a few signatures in the link, so I believe it is good. I wonder what it takes to satisfy the 'gpg --verify' tool.
Stack's has some signatures http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xDF0F5BBC30CD0996 Ram's has none. http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xA1ABD56E867B57B8 We should have a little key signing party at HBaseCon. Jon. On Wed, Mar 14, 2012 at 9:31 PM, Todd Lipcon <[email protected]> wrote: > You probably want to do: > gpg --keyserver pgp.mit.edu --recv-keys 30CD0996 > > That wlil update Stack's keys and its signatures from the central > repo. Though you still won't have a "web of trust" unless you have > also signed a bunch of keys, I don't think. But I've signed Owen's key > 3D0C92B9, and Owen has signed Stack's key 30CD0996, so I can verify > that signature. > > -Todd > > On Wed, Mar 14, 2012 at 10:49 AM, Jonathan Hsieh <[email protected]> wrote: > > Sorry about my ignorance about this -- I'm new to the gpg tools. I missed > > stack's key when I checked in the asc file. I just ran thought the > steps I > > could gather and here's what I get. I'm not completely sure but I > believe > > there is still something not quite right with this (same WARNING on > stack's > > and ram's signature). > > > > Am I doing something wrong? (or just worrying too much..) > > > > ---- > > [jon@c0309 dist]$ curl > > http://svn.apache.org/viewvc/hbase/dist/KEYS?view=co> KEYS > > [jon@c0309 dist]$ gpg --import KEYS > > gpg: key 30CD0996: public key "Michael Stack <[email protected]>" > imported > > gpg: key 945D66AF: public key "Jean-Daniel Cryans (ASF key) < > > [email protected]>" imported > > gpg: key D34B98D6: public key "Michael Stack <[email protected]>" > imported > > gpg: key AEC77EAF: public key "Todd Lipcon <[email protected]>" > imported > > gpg: Total number processed: 4 > > gpg: imported: 4 (RSA: 2) > > [jon@c0309 dist]$ gpg --verify hbase-0.90.6.tar.gz.asc.1 > > hbase-0.90.6-rc5.tar.gz > > gpg: Signature made Fri 02 Mar 2012 10:40:13 AM PST using RSA key ID > > 30CD0996 > > gpg: Good signature from "Michael Stack <[email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 686E 5EDF 04A4 8305 5416 0910 DF0F 5BBC 30CD > 0996 > > gpg: Signature made Fri 02 Mar 2012 09:40:28 AM PST using RSA key ID > > 867B57B8 > > gpg: Good signature from "Ramkrishna S Vasudevan (for code checkin) < > > [email protected]>" > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 7405 BB74 016B E7D0 7B25 15E3 A1AB D56E 867B > 57B8 > > [jon@c0309 dist]$ > > [jon@c0309 dist]$ # this is stack's > > [jon@c0309 dist]$ gpg --fingerprint 30cd0996 > > pub 2048R/30CD0996 2010-05-03 > > Key fingerprint = 686E 5EDF 04A4 8305 5416 0910 DF0F 5BBC 30CD 0996 > > uid Michael Stack <[email protected]> > > sub 2048R/00A5F21E 2010-05-03 > > --- > > > > Jon. > > > > > > On Wed, Mar 14, 2012 at 10:06 AM, Stack <[email protected]> wrote: > > > >> On Wed, Mar 14, 2012 at 9:21 AM, Jonathan Hsieh <[email protected]> > wrote: > >> > We need get the gpg signature fixed since you aren't in the web of > trust > >> > yet. We need to add stack's and I'd like to add mine once my keys get > >> > added to the web of trust (folks are a little more accessible here). > >> > > >> > >> I thought I signed it. > >> > >> if not, can check the bits and sign before release. > >> > >> Thanks for taking her for a spin Jon. > >> St.Ack > >> > > > > > > > > -- > > // Jonathan Hsieh (shay) > > // Software Engineer, Cloudera > > // [email protected] > > > > -- > Todd Lipcon > Software Engineer, Cloudera > -- // Jonathan Hsieh (shay) // Software Engineer, Cloudera // [email protected]
