I have verified the signatures.
One small nit is that the file names are slightly odd:
ted:Downloads$ ls apache*src*
apache-drill-1.0.0-m1-src.tar.gz apache-drill-1.0.0-m1.src.tar.gz.asc
Note how the signature has m1.src instead of m1-src
For reference, here is a transcript of how I verified the signatures:
# install gpg
ted:Downloads$ sudo port install gnupg
Password: ***
Warning: port definitions are more than two weeks old, consider using
selfupdate
---> Fetching archive for ncurses
... *much noise deleted* ...
---> Attempting to fetch gnupg-1.4.13_1.darwin_11.x86_64.tbz2 from
http://mse.uk.packages.macports.org/sites/packages.macports.org/gnupg
---> Attempting to fetch gnupg-1.4.13_1.darwin_11.x86_64.tbz2 from
http://lil.fr.packages.macports.org/gnupg
... *even more noise deleted* ...
---> Activating gnupg @1.4.13_1
---> Cleaning gnupg
---> Updating database of binaries: 100.0%
---> Scanning binaries for linking errors: 100.0%
---> No broken files found.
# import the committer KEYS
ted:Downloads$ gpg --import ~/tmp/drill/KEYS
gpg: key AB10D143: public key "Jacques Nadeau <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-05-03
# verify the signature on the binary distro
ted:Downloads$ gpg --verify apache-drill-1.0.0-m1-bin.tar.gz.asc
apache-drill-1.0.0-m1-bin.tar.gz
gpg: Signature made Wed Sep 4 04:23:37 2013 PDT using RSA key ID 6B5FA695
gpg: Good signature from "Jacques Nadeau <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: BA97 595F EA79 095C AC43 C07E DF2B E030 AB10 D143
Subkey fingerprint: 2A4A FF9C 7531 2FB4 0116 62A4 C2C6 022A 6B5F A695
# test our procedure by corrupting the file and verifying gpg warns us
ted:Downloads$ echo -n foo >> apache-drill-1.0.0-m1-bin.tar.gz
ted:Downloads$ gpg --verify apache-drill-1.0.0-m1-bin.tar.gz.asc
apache-drill-1.0.0-m1-bin.tar.gz gpg: Signature made Wed Sep 4 04:23:37
2013 PDT using RSA key ID 6B5FA695
gpg: BAD signature from "Jacques Nadeau <[email protected]>"
# verify source release
ted:Downloads$ gpg --verify apache-drill-1.0.0-m1.src.tar.gz.asc
apache-drill-1.0.0-m1-src.tar.gz
gpg: Signature made Wed Sep 4 04:19:36 2013 PDT using RSA key ID 6B5FA695
gpg: Good signature from "Jacques Nadeau <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: BA97 595F EA79 095C AC43 C07E DF2B E030 AB10 D143
Subkey fingerprint: 2A4A FF9C 7531 2FB4 0116 62A4 C2C6 022A 6B5F A695
ted:Downloads$
