1. Unfortunately, the KEYS file is not tied to a web of trust. Those public keys are indeed there by themselves. That is, folks who countersign any of those public keys and synchronize with a PGP key-service will not have those certifications reflected automatically in KEYS. Someone has to know to install the KEYS file and then use their software to load the certifications that can be found for that public key. (At the moment, the only certification of the Florian Hopf (CODE SIGNING KEY) is its self-signed sealing.)
2. Another way, independent of the web of trust, is by using the public key available for that release manager at either <https://people.apache.org/keys/committer/> or the group certificate file at <https://people.apache.org/keys/group> once odftoolkit.asc becomes available there. These are bound to the credentials of recognized Apache Committers which is much stronger than certifications of a stranger by other strangers. In addition, those files *are* updated from PGP key services, so any web-of-trust certifications (and, presumably, revocations) will also be reflected in those certificates. 3. I am curious. For the current release candidate, I see that each artifact has an associated .asc, .md5, and .sha. How does a recipient of the artifact and its corresponding .asc to know to find the necessary public key for verifying the artifact's external .asc signature? - Dennis 4. PS: I also notice that, even as a committer with access to https://id.apache.org/info/MailAlias.txt, I cannot tell that Florian Hopf of mailinglists@ florian-hopf.de is fhopf@ apache.org. I believe it. I can't verify it. (Florian, please log onto your Apache account and update the email addresses that you want to be recognized by.) -----Original Message----- From: Rob Weir [mailto:[email protected]] Sent: Monday, April 29, 2013 11:41 To: [email protected]; Dennis Hamilton Subject: Re: KEYS On Mon, Apr 29, 2013 at 1:31 PM, Dennis E. Hamilton <[email protected]> wrote: > Off-hand, I can't imagine how your public key is useful to a code-signing > plug-in. > > I can confirm that the instructions for import of the KEYS certificates into > GPG do work. > > My understanding is that KEYS is useful for someone who wants to verify the > signatures on releases. In general, it is preferable for the public keys (or > at least the fingerprint) to be obtained from an independent, secure location > that is uniquelly associated with the committer whose PGP public key is > sought. > That might be true of the public key was by itself. In that case you would only be able to tell that the signature was from someone who claims to be Florian, but you would not know whether he really was. But the GPG approach is based on a "web of trust" model. If I can confirm that your key is actually from you and you can convince me that you are who you claim to be, then I can sign your key with my key. I post that info to a public keyserver, and someone else can verify this info. And my key is then signed by someone else, etc. So we have a web of people asserting their trust of a given key. So in the end it doesn't matter where the key is actually retrieved from. It could be on my website, in SVN, wherever. You only trust it if you have direct knowledge of its validity, or you trust someone who has this knowledge, directly or via someone they directly trust. -Rob > The files at <https://people.apache.org/keys/committer/> qualify, since the > retrieved public keys are based on a fingerprint that requires access to your > Apache Committer account to establish. The keys folder is kept secure by ASF > Infrastructure. Synchronization with public key servers is automated. Also, > there is a file <https://people.apache.org/keys/group/> that has all public > keys for an individual project (e.g., office.asc for all committers of Apache > OpenOffice that have committer keys). > > > - Dennis [ ... ]
