On Dec 21, 2007, at 08:33, Mark Brouwer wrote:
Frank Barnaby wrote:
I assisted Jim H. create a key and then sign my key. My local
testing shows no more warnings, but it would be helpful to have
someone else verify.
In good tradition everything security related is hard, no exception
this
time :-) I'm trying to verify the distribution and I need to import
the
KEYS file. I wonder whether it is checked in at the right place
(part of
jtsk and we also have qatest)?
I was wondering the same thing when I created the KEYS file. I also
questioned whether qatests will stay in its current location. I'd be
happy to move it up to trunk if that's the appropriate location.
Also I tried to verify the distributions, I imported the KEYS file
and received the keys of Jim, Frank and Jukka but all I get is this.
gpg --verify apache-river-2.1.1-incubating-bin.zip.asc apache-
river-2.1.1-incubating-bin.zip
gpg: Signature made 12/19/07 22:24:05 using RSA key ID 86124FBC
gpg: Good signature from "Frank Barnaby <[EMAIL PROTECTED]>"
gpg: aka "Frank Barnaby <[EMAIL PROTECTED]>"
gpg: aka "Frank Barnaby (CODE SIGNING KEY) <[EMAIL PROTECTED]
>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to
the owner.
Primary key fingerprint: D074 AD05 445C 34DD 04AE B682 19A2 FF47
8612 4FBC
So what is going wrong here?
I need to update the KEYS file now that more signatures have been
added to the mix, but I'm not certain whether that will resolve the
above problem.
Frank
--
Mark
