Hi Alex, importing the KEYS does not mean, that you "trust" the imported keys. After importing the KEYS, you can verify, that the signature is good, i.e. the file has not been tampered with.
However, due to the nature of public key cryptography, you need to additionally verify that the key was created by the "real" Richard :-) That means, you need to tell your PGP setup, that you "trust" the key from me you previously imported in step 1, see details in [1]. Determing what the "level of trust" needs to be, is up to you. Some people validate their key by face-to-face communication, voice verification over phone or just trust the provided file in [2] by default. For example you could also validate my key in [3] with the one provided in [2] to be sure, that nobody has been tampering with the KEYS file ;) Hope it helps Richard [1] https://www.apache.org/info/verification.html#Validating [2] https://downloads.apache.org/tomee/KEYS [3] https://people.apache.org/keys/committer/rzo1 Am Mittwoch, dem 10.05.2023 um 11:43 +0200 schrieb Alex The Rocker: > Hello Richard, > > Thanks for your answer, but I'm still confused: I previously imported > TOMEE's Keys from > https://downloads.apache.org/tomee/KEYS, so the "you should get > knowledge of my key id > (better complete fingerprint) on another, trustfully way" step is > done, and yet gpg prints the warning. > > Am I missing something? > > Alex > > Le mer. 10 mai 2023 à 11:38, Richard Zowalla <[email protected]> a > écrit : > > > > Hi, > > > > the signature could be successfully verified, that means it was > > really > > signed with my private key. The key claims it belongs to "Richard > > Zowalla". > > > > Yet, your GnuPG setup does not trustthis key. Everybody could > > create a > > key for "Richard Zowalla"; all you know is somebody that created a > > key > > with user ID "Richard Zowalla" signed the artifact. > > > > To be sure about whether the signer of the artifact is really who > > he > > claims to be (Ricahrd zowalla), you should get knowledge of my key > > id > > (better complete fingerprint) on another, trustfully way (it must > > not > > necessarily be secure, as only public information, namely the > > public > > key id, is transferred) - which you have done by downloading the > > KEYS > > file from the official ASF location. > > > > After that, you would need to sign the key (depending on the level > > of > > trust for your use-case this might involve additional verification > > steps). All keys you signed (and thus their signatures) will be > > 'verified' in future. > > > > The process is also described in [1] > > > > Hope it helps. > > > > Gruß > > Richard > > > > [1] https://www.apache.org/info/verification.html#Validating > > > > Am Mittwoch, dem 10.05.2023 um 10:46 +0200 schrieb Alex The Rocker: > > > Hello, > > > > > > I have a doubt with this signature test: > > > > > > wget > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz > > > cat > apache-tomee-8.0.15-plus.tar.gz.asc > > > (here I copy paste the contents of > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc > > > , > > > then I type control-D) > > > $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc > > > apache-tomee-8.0.15-plus.tar.gz > > > gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA > > > key ID > > > E5B8A431 > > > gpg: Good signature from "Richard Zowalla (Code Signing Key) > > > <[email protected]>" > > > gpg: WARNING: This key is not certified with a trusted signature! > > > gpg: There is no indication that the signature belongs > > > to > > > the owner. > > > Primary key fingerprint: B83D 15E7 2253 ED11 04EB 4FBB DAB4 72F0 > > > E5B8 A431 > > > > > > Isn't the warning a bit scary ? > > > > > > Note: I previously imported TOMEE's Keys from > > > https://downloads.apache.org/tomee/KEYS which I save into a file > > > /tmp/KEYS.tst, then used: > > > gpg --import /tmp/KEYS.txt > > > > > > Isn't there a way to make sure gpg won't complain about the > > > trustiness > > > of the signature ? > > > > > > Thanks, > > > Alex > > > > > > Le lun. 8 mai 2023 à 14:50, Richard Zowalla <[email protected]> a > > > écrit > > > : > > > > > > > > Hi all, > > > > > > > > this is a vote for a release of Apache TomEE 8.0.15. > > > > > > > > It is a maintenance release with some bug fixes and > > > > dependencies > > > > upgrades (addressing some CVEs) > > > > > > > > ############### > > > > > > > > Maven Repo: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > > > > > > > > <repositories> > > > > <repository> > > > > <id>tomee-8.0.15-rc1</id> > > > > <name>Testing TomEE 8.0.15 RC1</name> > > > > <url> > > > > https://repository.apache.org/content/repositories/orgapachetomee-1214/ > > > > </url> > > > > </repository> > > > > </repositories> > > > > > > > > ############### > > > > > > > > Binaries & Source: > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/ > > > > > > > > ############### > > > > > > > > Tag: > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15 > > > > > > > > > > > > ############### > > > > > > > > Release notes: > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766 > > > > > > > > ############### > > > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > > > == Dependency upgrade > > > > > > > > [.compact] > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188] > > > > ActiveMQ 5.16.6 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180] > > > > CXF 3.5.5 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > > > > Commons FileUpload 1.5 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210] > > > > EclipseLink 2.7.12 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211] > > > > Hibernate Integration 5.6.15.Final > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206] > > > > Jackson 2.15.0 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207] > > > > Johnzon 1.2.20 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205] > > > > Jose4j 0.9.3 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209] > > > > Mojarra 2.3.19 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > > > > Tomcat 9.0.72 (CVE-2023-28708) > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191] > > > > Tomcat 9.0.73 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201] > > > > Tomcat 9.0.74 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > > > > snakeyaml version 2.0 mitigate CVE-2022-1471 > > > > > > > > == Bug > > > > > > > > [.compact] > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192] > > > > ApplicationComposers do not clear GC references on release > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181] > > > > BCProv jar loses its signature during the patch process > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > > > > Performance Regression in bean resolution in EAR files > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189] > > > > java.lang.ClassNotFoundException: > > > > org.apache.openejb.loader.SystemInstance > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179] > > > > Fix creeping in API JARs which should be in javaee-api > > > > > > > > == Wish > > > > > > > > [.compact] > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190] > > > > RunWithApplicationComposer should support inheritance > > > > > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > > > > > [.compact] > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194] > > > > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471 > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195] > > > > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708) > > > > - > > > > link: > > > > https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] > > > > Commons FileUpload 1.5 > > > > > > > > > > > > ############### > > > > > > > > Here is the dependency diff from 8.0.14 to 8.0.15 created with > > > > our > > > > release tools: > > > > > > > > artifactId from to > > > > ------------------------------- -------- ----------------- > > > > jackson-annotations 2.14.1 2.15.0 > > > > jackson-core 2.14.1 2.15.0 > > > > jackson-databind 2.14.1 2.15.0 > > > > jackson-dataformat-yaml 2.14.1 2.15.0 > > > > saaj-impl 1.5.1 1.5.3 > > > > activemq-broker 5.16.5 5.16.6 > > > > activemq-client 5.16.5 5.16.6 > > > > activemq-jdbc-store 5.16.5 5.16.6 > > > > activemq-kahadb-store 5.16.5 5.16.6 > > > > activemq-openwire-legacy 5.16.5 5.16.6 > > > > activemq-ra 5.16.5 5.16.6 > > > > cxf-rt-rs-mp-client 3.4.10 3.5.5 > > > > johnzon-core 1.2.19 1.2.20 > > > > johnzon-jaxrs 1.2.19 1.2.20 > > > > johnzon-jsonb 1.2.19 1.2.20 > > > > johnzon-jsonp-strict 1.2.19 1.2.20 > > > > johnzon-mapper 1.2.19 1.2.20 > > > > xmlsec 2.2.3 2.3.2 > > > > wss4j-bindings 2.3.3 2.4.1 > > > > wss4j-policy 2.3.3 2.4.1 > > > > wss4j-ws-security-common 2.3.3 2.4.1 > > > > wss4j-ws-security-dom 2.3.3 2.4.1 > > > > wss4j-ws-security-policy-stax 2.3.3 2.4.1 > > > > wss4j-ws-security-stax 2.3.3 2.4.1 > > > > jose4j 0.6.0 0.9.3 > > > > eclipselink 2.7.11 2.7.12 > > > > jakarta.faces 2.3.18 2.3.19 > > > > stax-ex 1.8.1 1.8.3 > > > > snakeyaml 1.33 2.0 > > > > > > > > ############### > > > > > > > > Please VOTE > > > > > > > > [+1] go ship it > > > > [+0] meh, don't care > > > > [-1] stop, there is a ${showstopper} > > > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > > > Gruß > > > > Richard > > > > > >
