Good catch Sean: bugg@tom-laptop2:~$ gpg --verify apache-oodt-1.1-src.zip.asc gpg: assuming signed data in `apache-oodt-1.1-src.zip' gpg: Signature made Wed 19 Jul 2017 19:57:50 BST using RSA key ID 0C1E654B gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) < mattm...@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA F8B6 0C1E 654B bugg@tom-laptop2:~$
The key works, but I think the KEYS file needs to be updated in the SVN repo per: https://www.apache.org/dev/release-signing.html#keys-policy For now I'm gonna say -1 unless updating KEYS isn't required. Tom On Mon, Jul 24, 2017 at 5:22 AM, Chris Mattmann <mattm...@apache.org> wrote: > I updated it in id.apache.org, which autogenerates [1], which should be > the > canonical source for our KEYS file. Give it a check in ~1 hour or so > should be > all good. > > Cheers, > Chris > > > > [1] https://people.apache.org/keys/group/oodt.asc > > > > On 7/23/17, 5:33 PM, "Sean Kelly" <ke...@apache.org> wrote: > > That did the trick. > > I'll be +1 if you also update the KEYS file. > > Transcript: > > fatalii 298 % date -u > Mon Jul 24 00:32:49 UTC 2017 > fatalii 299 % gpg --verify apache-oodt-1.1-src.zip.asc > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA key ID > 0C1E654B > gpg: Good signature from "Chris Mattmann (CODE SIGNING KEY - Apr 2016) > <mattm...@apache.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: F434 C970 B95A 6FCA 6FB9 0C45 4EAA F8B6 0C1E > 654B > > > --k > > > Chris Mattmann wrote: > > Hey Sean I think I have a new key on my Mac – can you check? I just > submitted the new > > key to MIT keyserver, can you re-verify and see if that fixes it? > > > > Cheers, > > Chris > > > > > > > > > > On 7/23/17, 5:06 PM, "Sean Kelly"<ke...@apache.org> wrote: > > > > Hi folks: > > > > I realize it's already 72 hours and we have the requisite 3 +1 > votes, > > but I'm definitely in the -1 camp if this release was signed > with the > > wrong key. > > > > I hope it's just user error on my end. > > > > Take care > > --k > > > > > *From:* Sean Kelly<ke...@apache.org> > > > *Date:* 2017-07-22 at 12.54 p > > > *To:* dev@oodt.apache.org > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > Did anyone check the signature? > > > > > > I'm getting an unknown RSA key 0C1E654B: > > > > > > fatalii 278 % date -u > > > Sat Jul 22 17:53:42 UTC 2017 > > > fatalii 279 % gpg --verify apache-oodt-1.1-src.zip.asc > > > gpg: Signature made Wed Jul 19 13:57:50 2017 CDT using RSA > key ID 0C1E654B > > > gpg: Can't check signature: No public key > > > > > > --k > > > > > > *From:* Chris Mattmann<mattm...@apache.org> > > > *Date:* 2017-07-19 at 2.01 p > > > *To:* dev@oodt.apache.org > > > *Subject:* [VOTE] Apache OODT 1.1 Release Candidate #2 > > > Hi Folks, > > > > > > I have posted a 2nd release candidate for the Apache OODT > 1.1 release. The > > > source code is at: > > > > > > https://dist.apache.org/repos/dist/dev/oodt/ > > > > > > For more detailed information, see the included CHANGES.txt > file for details on > > > release contents and latest changes. The release was made > using the OODT > > > release process, documented on the Wiki here: > > > > > > https://cwiki.apache.org/confluence/display/OODT/ > Release+Process > > > > > > The release was made from the OODT 1.1 tag at: > > > > > > https://github.com/apache/oodt/tree/1.1/ > > > > > > A staged Maven repository is available at: > > > > > > https://repository.apache.org/content/repositories/ > orgapacheoodt-1013/ > > > > > > Please vote on releasing these packages as Apache OODT 1.1. > The vote is > > > open for at least the next 72 hours. > > > > > > Only votes from OODT PMC are binding, but folks are welcome > to check the > > > release candidate and voice their approval or disapproval. > The vote passes > > > if at least three binding +1 votes are cast. > > > > > > [ ] +1 Release the packages as Apache OODT 1.1 > > > > > > [ ] -1 Do not release the packages because... > > > > > > Thanks! > > > > > > Chris Mattmann > > > > > > P.S. Here is my +1. > > > > > > > > > > > > > > > > > > > > >
