That's what I get for manually renaming the artifacts to post them.
On Wed, Sep 4, 2013 at 12:49 PM, Ted Dunning <[email protected]> wrote: > I have verified the signatures. > > One small nit is that the file names are slightly odd: > > ted:Downloads$ ls apache*src* > apache-drill-1.0.0-m1-src.tar.gz apache-drill-1.0.0-m1.src.tar.gz.asc > > > Note how the signature has m1.src instead of m1-src > > For reference, here is a transcript of how I verified the signatures: > > # install gpg > ted:Downloads$ sudo port install gnupg > Password: *** > Warning: port definitions are more than two weeks old, consider using > selfupdate > ---> Fetching archive for ncurses > > ... *much noise deleted* ... > > ---> Attempting to fetch gnupg-1.4.13_1.darwin_11.x86_64.tbz2 from > http://mse.uk.packages.macports.org/sites/packages.macports.org/gnupg > ---> Attempting to fetch gnupg-1.4.13_1.darwin_11.x86_64.tbz2 from > http://lil.fr.packages.macports.org/gnupg > > ... *even more noise deleted* ... > > ---> Activating gnupg @1.4.13_1 > ---> Cleaning gnupg > ---> Updating database of binaries: 100.0% > ---> Scanning binaries for linking errors: 100.0% > ---> No broken files found. > > # import the committer KEYS > ted:Downloads$ gpg --import ~/tmp/drill/KEYS > gpg: key AB10D143: public key "Jacques Nadeau <[email protected]>" > imported > gpg: Total number processed: 1 > gpg: imported: 1 (RSA: 1) > gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > gpg: next trustdb check due at 2016-05-03 > > # verify the signature on the binary distro > ted:Downloads$ gpg --verify apache-drill-1.0.0-m1-bin.tar.gz.asc > apache-drill-1.0.0-m1-bin.tar.gz > gpg: Signature made Wed Sep 4 04:23:37 2013 PDT using RSA key ID 6B5FA695 > gpg: Good signature from "Jacques Nadeau <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: BA97 595F EA79 095C AC43 C07E DF2B E030 AB10 D143 > Subkey fingerprint: 2A4A FF9C 7531 2FB4 0116 62A4 C2C6 022A 6B5F A695 > > # test our procedure by corrupting the file and verifying gpg warns us > ted:Downloads$ echo -n foo >> apache-drill-1.0.0-m1-bin.tar.gz > ted:Downloads$ gpg --verify apache-drill-1.0.0-m1-bin.tar.gz.asc > apache-drill-1.0.0-m1-bin.tar.gz gpg: Signature made Wed Sep 4 04:23:37 > 2013 PDT using RSA key ID 6B5FA695 > gpg: BAD signature from "Jacques Nadeau <[email protected]>" > > # verify source release > ted:Downloads$ gpg --verify apache-drill-1.0.0-m1.src.tar.gz.asc > apache-drill-1.0.0-m1-src.tar.gz > gpg: Signature made Wed Sep 4 04:19:36 2013 PDT using RSA key ID 6B5FA695 > gpg: Good signature from "Jacques Nadeau <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: BA97 595F EA79 095C AC43 C07E DF2B E030 AB10 D143 > Subkey fingerprint: 2A4A FF9C 7531 2FB4 0116 62A4 C2C6 022A 6B5F A695 > ted:Downloads$ >
