FWIW, that is me :) Key fingerprint = 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886 uid Jesse McConnell (signing key) <[email protected]>
I have advocated a key signing setup at the Eclipse Foundation before but there was no interest in extending the circle of trust behind the foundation key which is a palaver to use and not suitable for a normal maven release process like ours. I will float the idea of the rest of the jetty developers doing a signing party though, probably long overdue. cheers, jesse -- jesse mcconnell [email protected] On Fri, Oct 3, 2014 at 3:25 PM, Rob Nikander <[email protected]> wrote: > Hi, > > If I download the main Jetty tar.gz > (http://download.eclipse.org/jetty/stable-9/dist/), and then the signature > file, and then run `gpg --verify` ... it says it's a good signature, but how > do I know it wasn't just tampered with and resigned by some random person? > How do I know that this is the right key? > > gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID > D7C58886 > gpg: Good signature from "Jesse McConnell (signing key) > <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886 > > Rob > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
