On Fri, Jun 25, 2010 at 5:29 AM, Thomas Koch <[email protected]> wrote: > > But checking the signatures of apache software obviously is meaningless, > since > apache developers appears to not have their keys in the web-of-trust. From > three signature files I had laying around on my hard disc, all three keys > had > zero signatures on the MIT keyserver: > > are you sure you know how to verify keys? please read the manual before cross-posting to this many mailing lists.
for example, Grant's key is definitely signed. i know because i signed it myself: pub 4096R/FE045966 2009-10-13 uid Grant Ingersoll (CODE SIGNING KEY) <[email protected]> sig sig3 FE045966 2009-10-13 __________ __________ [selfsig] sig sig A867E8B1 2009-10-13 __________ __________ Grant Ingersoll (CODE SIGNING KEY) <[email protected]> sig sig 3396054D 2009-11-05 __________ __________ Robert Muir (Code Signing Key) <[email protected]> sig sig ECA39416 2009-11-05 __________ __________ Simon Willnauer (Code Signing Key) <[email protected]> sig sig C09FB546 2009-11-05 __________ __________ Isabel Drost (Apache release signing key) <[email protected]> sig sig 0C0885B4 2009-11-05 __________ __________ Isabel Drost < [email protected]> sig sig E1EE085F 2009-11-05 __________ __________ Uwe Schindler (CODE SIGNING KEY) <[email protected]> * * -- Robert Muir [email protected]
