Hi Mark, On Dec 21, 2007, at 5:33 AM, Mark Brouwer wrote:
Frank Barnaby wrote:I assisted Jim H. create a key and then sign my key. My local testing shows no more warnings, but it would be helpful to have someone else verify.In good tradition everything security related is hard, no exception this time :-) I'm trying to verify the distribution and I need to import the KEYS file. I wonder whether it is checked in at the right place (part ofjtsk and we also have qatest)?Also I tried to verify the distributions, I imported the KEYS file and received the keys of Jim, Frank and Jukka but all I get is this.gpg --verify apache-river-2.1.1-incubating-bin.zip.asc apache- river-2.1.1-incubating-bin.zipgpg: Signature made 12/19/07 22:24:05 using RSA key ID 86124FBC gpg: Good signature from "Frank Barnaby <[EMAIL PROTECTED]>" gpg: aka "Frank Barnaby <[EMAIL PROTECTED]>"gpg: aka "Frank Barnaby (CODE SIGNING KEY) <[EMAIL PROTECTED]>"gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D074 AD05 445C 34DD 04AE B682 19A2 FF47 8612 4FBCSo what is going wrong here?
There's nothing wrong. Frank signed the release with his key. His key is in your keystore. You haven't signed his key or anyone's key who (transitively) signed his key.
Craig
-- Mark
Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
