Hi Andrew, A couple things:
* You accidentally replied to the release helper guide; I think you meant to vote on the [VOTE] thread * the warning message you received during GPG verification simply means that you had not previously marked Jeremy’s key as “trusted” via your GPG application. The intended process is: * Jeremy posts his public key on a key server * You verify Jeremy’s key via a different channel (chat/in-person/voice verification) — this is where the key fingerprint is useful; he can read it over the phone and you, knowing his voice, can verify that he is using the key ostensibly published by him * If you do not know Jeremy or cannot contact him, you can delegate that trust verification to someone else. For example, I have verified the key fingerprint with Jeremy offline, so I trust that this key is his. I have signed that public key using my private key (key ID 0x2F7DEF69) and I can publish that signature to public key servers. Now, if you trust my key, you can accept that transitive trust as well. (The servers are under stress right now but this link should show that when the server is up: https://pgp.mit.edu/pks/lookup?search=0x6B295AD5&op=index). * Once you have verified or trust that the key represents Jeremy, you can assign it a level of “owner trust” in your GPG application, ranging from Never -> Marginal -> Full, representing how seriously you believe this is Jeremy’s key. * After a trust level has been assigned, you will not get the message you did. You will get a message like the one below: hw12203:/Users/alopresto/Workspace/scratch/release_verification/minifi-java-0.5.0 (master) alopresto 🔓 0s @ 11:09:55 $ gpg --verify -v minifi-0.5.0-source-release.zip.asc gpg: assuming signed data in 'minifi-0.5.0-source-release.zip' gpg: Signature made Thu Jun 28 09:31:10 2018 PDT gpg: using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5 gpg: issuer "[email protected]" gpg: using pgp trust model gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) <[email protected]>" [full] gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096 Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 1, 2018, at 8:35 PM, Andrew Psaltis <[email protected]> wrote: > > +1 (non-binding) > > - verified keys > - verified signatures > - verified README's, NOTICE and LICENSE > - tested c2 NiFiRestConfigurationProvider with NiFi 1.6.0 and minifi from > this build, various changes to template -- bumping versions, etc. > > One thing I noticed when verifying the keys, which I am not sure is an > issue is the WARNING that the key is not certified with a trusted > signature. The following is the output from the command: > > gpg: assuming signed data in 'minifi-0.5.0-source-release.zip' > gpg: Signature made Fri Jun 29 00:31:10 2018 +08 > gpg: using RSA key 50AA60AD5D58311187B0BEB5C6E550DA6B295AD5 > gpg: issuer "[email protected]" > gpg: Good signature from "Jeremy Dyer (CODE SIGNING KEY) < > [email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 50AA 60AD 5D58 3111 87B0 BEB5 C6E5 50DA 6B29 5AD5 > > > On Fri, Jun 29, 2018 at 1:39 AM Jeremy Dyer <[email protected]> wrote: > >> Hello Apache NiFi community, >> >> Please find the associated guidance to help those interested in >> validating/verifying the release so they can vote. >> >> # Download latest KEYS file: >> https://dist.apache.org/repos/dist/dev/nifi/KEYS >> >> # Import keys file: >> gpg --import KEYS >> >> # [optional] Clear out local maven artifact repository >> >> # Pull down minifi-0.5.0 source release artifacts for review: >> >> wget >> >> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip >> wget >> >> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.asc >> wget >> >> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha1 >> wget >> >> https://dist.apache.org/repos/dist/dev/nifi/nifi-minifi/0.5.0/minifi-0.5.0-source-release.zip.sha256 >> >> # Verify the signature >> gpg --verify minifi-0.5.0-source-release.zip.asc >> >> # Verify the hashes (sha1 and sha256) match the source and what was >> provided in the vote email thread >> sha1sum minifi-0.5.0-source-release.zip >> sha256sum minifi-0.5.0-source-release.zip >> >> # Unzip minifi-0.5.0-source-release.zip >> >> # Verify the build works including release audit tool (RAT) checks >> cd minifi-0.5.0 >> mvn clean install -Pcontrib-check >> >> # Verify the contents contain a good README, NOTICE, and LICENSE. >> >> # Verify the git commit ID is correct >> >> # Verify the RC was branched off the correct git commit ID >> >> >> There are three convenience binaries generated as part of this process. >> The MiNiFi assembly, a MiNiFi Toolkit assembly, and a MiNiFi C2 Assembly. >> >> For the MiNiFi assembly: >> >> # Look at the resulting convenience binary as found in >> minifi-assembly/target >> >> # Make sure the README, NOTICE, and LICENSE are present and correct >> >> # Run the resulting convenience binary and make sure it works as expected >> >> >> For the MiNiFi Toolkit assembly: >> >> # Look at the resulting convenience binary as found in >> minifi-toolkit/minifi-toolkit-assembly/target >> >> # Make sure the README, NOTICE, and LICENSE are present and correct >> >> # Run the resulting convenience binary and make sure it works as expected >> >> >> For the MiNiFi C2 assembly: >> >> # Look at the resulting convenience binary as found in >> minifi-c2/minifi-c2-assembly/target >> >> # Make sure the README, NOTICE, and LICENSE are present and correct >> >> # Run the resulting convenience binary and make sure it works as expected >> >> >> >> # Send a response to the vote thread indicating a +1, 0, -1 based on your >> findings. >> >> >> Thank you for your time and effort to validate the release! >>
signature.asc
Description: Message signed with OpenPGP using GPGMail
