Hi, the signature could be successfully verified, that means it was really signed with my private key. The key claims it belongs to "Richard Zowalla".
Yet, your GnuPG setup does not trustthis key. Everybody could create a key for "Richard Zowalla"; all you know is somebody that created a key with user ID "Richard Zowalla" signed the artifact. To be sure about whether the signer of the artifact is really who he claims to be (Ricahrd zowalla), you should get knowledge of my key id (better complete fingerprint) on another, trustfully way (it must not necessarily be secure, as only public information, namely the public key id, is transferred) - which you have done by downloading the KEYS file from the official ASF location. After that, you would need to sign the key (depending on the level of trust for your use-case this might involve additional verification steps). All keys you signed (and thus their signatures) will be 'verified' in future. The process is also described in [1] Hope it helps. Gruß Richard [1] https://www.apache.org/info/verification.html#Validating Am Mittwoch, dem 10.05.2023 um 10:46 +0200 schrieb Alex The Rocker: > Hello, > > I have a doubt with this signature test: > > wget > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz > cat > apache-tomee-8.0.15-plus.tar.gz.asc > (here I copy paste the contents of > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc > , > then I type control-D) > $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc > apache-tomee-8.0.15-plus.tar.gz > gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID > E5B8A431 > gpg: Good signature from "Richard Zowalla (Code Signing Key) > <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: B83D 15E7 2253 ED11 04EB 4FBB DAB4 72F0 > E5B8 A431 > > Isn't the warning a bit scary ? > > Note: I previously imported TOMEE's Keys from > https://downloads.apache.org/tomee/KEYS which I save into a file > /tmp/KEYS.tst, then used: > gpg --import /tmp/KEYS.txt > > Isn't there a way to make sure gpg won't complain about the > trustiness > of the signature ? > > Thanks, > Alex > > Le lun. 8 mai 2023 à 14:50, Richard Zowalla <[email protected]> a écrit > : > > > > Hi all, > > > > this is a vote for a release of Apache TomEE 8.0.15. > > > > It is a maintenance release with some bug fixes and dependencies > > upgrades (addressing some CVEs) > > > > ############### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > > > > <repositories> > > <repository> > > <id>tomee-8.0.15-rc1</id> > > <name>Testing TomEE 8.0.15 RC1</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > > </url> > > </repository> > > </repositories> > > > > ############### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/ > > > > ############### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15 > > > > > > ############### > > > > Release notes: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766 > > > > ############### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188] > > ActiveMQ 5.16.6 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180] > > CXF 3.5.5 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > > Commons FileUpload 1.5 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210] > > EclipseLink 2.7.12 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211] > > Hibernate Integration 5.6.15.Final > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206] > > Jackson 2.15.0 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207] > > Johnzon 1.2.20 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205] > > Jose4j 0.9.3 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209] > > Mojarra 2.3.19 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > > Tomcat 9.0.72 (CVE-2023-28708) > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191] > > Tomcat 9.0.73 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201] > > Tomcat 9.0.74 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > > snakeyaml version 2.0 mitigate CVE-2022-1471 > > > > == Bug > > > > [.compact] > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192] > > ApplicationComposers do not clear GC references on release > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181] > > BCProv jar loses its signature during the patch process > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > > Performance Regression in bean resolution in EAR files > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189] > > java.lang.ClassNotFoundException: > > org.apache.openejb.loader.SystemInstance > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179] > > Fix creeping in API JARs which should be in javaee-api > > > > == Wish > > > > [.compact] > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190] > > RunWithApplicationComposer should support inheritance > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > [.compact] > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471 > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708) > > - > > link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > > Commons FileUpload 1.5 > > > > > > ############### > > > > Here is the dependency diff from 8.0.14 to 8.0.15 created with our > > release tools: > > > > artifactId from to > > ------------------------------- -------- ----------------- > > jackson-annotations 2.14.1 2.15.0 > > jackson-core 2.14.1 2.15.0 > > jackson-databind 2.14.1 2.15.0 > > jackson-dataformat-yaml 2.14.1 2.15.0 > > saaj-impl 1.5.1 1.5.3 > > activemq-broker 5.16.5 5.16.6 > > activemq-client 5.16.5 5.16.6 > > activemq-jdbc-store 5.16.5 5.16.6 > > activemq-kahadb-store 5.16.5 5.16.6 > > activemq-openwire-legacy 5.16.5 5.16.6 > > activemq-ra 5.16.5 5.16.6 > > cxf-rt-rs-mp-client 3.4.10 3.5.5 > > johnzon-core 1.2.19 1.2.20 > > johnzon-jaxrs 1.2.19 1.2.20 > > johnzon-jsonb 1.2.19 1.2.20 > > johnzon-jsonp-strict 1.2.19 1.2.20 > > johnzon-mapper 1.2.19 1.2.20 > > xmlsec 2.2.3 2.3.2 > > wss4j-bindings 2.3.3 2.4.1 > > wss4j-policy 2.3.3 2.4.1 > > wss4j-ws-security-common 2.3.3 2.4.1 > > wss4j-ws-security-dom 2.3.3 2.4.1 > > wss4j-ws-security-policy-stax 2.3.3 2.4.1 > > wss4j-ws-security-stax 2.3.3 2.4.1 > > jose4j 0.6.0 0.9.3 > > eclipselink 2.7.11 2.7.12 > > jakarta.faces 2.3.18 2.3.19 > > stax-ex 1.8.1 1.8.3 > > snakeyaml 1.33 2.0 > > > > ############### > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > >
