Hi Devs, Now we are almost ready for the release. As part of the release process, we need to sign files [1].
I created a key following few guides [1][2]. My key ID is 2D09CC5E [3]. My key was signed and trusted by few other users. When verifying [4] the release [5] from another user, we noticed following warning. gpg: Signature made Fri 18 Apr 2014 06:35:19 PM IST using RSA key ID 2D09CC5E gpg: Good signature from "M. Isuru Tharanga Chrishantha Perera (CODE SIGNING KEY) <[email protected]>" *gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.* Primary key fingerprint: 9C4E CBA6 920C 175D C498 15AC 0508 949F 2D09 CC5E The main concern is how to avoid above warning. This concern was raised when releasing the previous version as well. See "PPMC diligence is needed in Voting" on dev@ [6]. I really appreciate your ideas, especially from the mentors. Please note that the dist location at [5] does not contain the final source release. Thanks! Best Regards, [1] http://www.apache.org/dev/release-signing.html [2] http://www.apache.org/dev/openpgp.html [3] http://pgp.mit.edu/pks/lookup?op=vindex&search=0x0508949F2D09CC5E [4] https://cwiki.apache.org/confluence/display/STRATOS/4.0.0+Testing+Procedure [5] https://dist.apache.org/repos/dist/dev/incubator/stratos/releases/4.0.0-incubating-rc1/ [6] http://mail-archives.apache.org/mod_mbox/stratos-dev/201310.mbox/%[email protected]%3E -- Isuru Perera Senior Software Engineer | WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware about.me/chrishantha
