On 08/05/2016 12:28 PM, Dennis E. Hamilton wrote:
For tracking the [TESTING] of the 4.1.2-patch1 binary for windows, I have
created task Issue 127065,
<https://bz.apache.org/ooo/show_bug.cgi?id=127065>. Comment 7 there already
speaks to the untrusted identification situation.
I am adding an abridged version of this message from Carl with the part
relevant to certificate trust. Note that most of us who have worked on
4.1.2-patch1 and provided digital signatures will find that identity will be
reported as untrusted based on the Web-of-Trust technique PGP software uses.
We can, of course, verify the fingerprints and Apache account identity and
certify each other. That will change the status for those of us in this
particular circle but not necessarily for anyone who does not already trust the
identification of enough of us.
I don't think there is any way to get into this in our README files. However, this
is useful for any future contributions we might make to the page at
<http://www.apache.org/dev/release-signing.html> or anything supplemental that
is oriented to the users of Apache OpenOffice and their particular range of skills.
-----Original Message-----
From: Carl Marcum [mailto:cmar...@apache.org]
Sent: Friday, August 5, 2016 03:30
To: dev@openoffice.apache.org
Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
On 08/04/2016 06:52 PM, Marcus wrote:
Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
On 08/04/2016 02:21 PM, Marcus wrote:
[ ... ]
* apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
I don't know if this is OK or still bad:
gpg --verify apache-openoffice-4.1.2-patch1-apply-Win_x86.zip.asc
apache-openoffice-4.1.2-patch1-apply-Win_x86.zip
gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key
ID
D456628A
gpg: Good signature from "keybase.io/orcmid (confirmed identifier)
<orc...@keybase.io>"
gpg: aka "orcmid (Dennis E.
Hamilton)<orc...@msn.com>"
gpg: aka "orcmid Apache (code
signing)<orc...@apache.org>"
gpg: aka "Dennis E. Hamilton (orcmid)
<dennis.hamil...@acm.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to
the
owner.
I get this on sig checks also. There's probably a step we're missing
to
specify "trust" locally.
See:
http://www.apache.org/dev/release-signing.html
signing Dennis' key locally worked for me.
On Linux I use:
gpg --default-key 9553BF9A --sign-key D456628A
If the key you want to sign it with is already the default key you can
omit the "--default-key 9553BF9A" part.
Sometimes you may have to prefix the ID's with "0x" to denote hex.
If you trust this is Dennis' key you can send his key back with your sig
now attached and it will have more trust.
gpg --send-key 0xD456628A
If a few people do it the warning should go away. Web-of-trust :)
Carl
[orcmid]
The warning will go away for us who have created a mutual Web-of-Trust but it
won't help those who are not in that circle or have not somehow determined to
trust in it themselves. This is still useful advice about how to do it.
PS: I don't think the dist-level KEYS file is updated automatically, so the
release KEYS set needs to be refreshed to work. (We can check that by waiting
for a while to see if Carl's trust of Dennis's key shows up.)
Dennis,
Yes I think I over simplified that.
Thanks for clarifying.
Best regards,
Carl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
