Hi, If I download the main Jetty tar.gz ( http://download.eclipse.org/jetty/stable-9/dist/), and then the signature file, and then run `gpg --verify` ... it says it's a good signature, but how do I know it wasn't just tampered with and resigned by some random person? How do I know that this is the right key?
gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID D7C58886 gpg: Good signature from "Jesse McConnell (signing key) < [email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886 Rob
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
