Re: Apache release signing on Solaris 10

Sun, 03 Jan 2010 16:33:03 -0800 

Hi Peter,
The only reason *not* to use 1.4.10 IMHO is if the generated artifacts somehow are incompatible with other GPG programs out there. 


If you want to create an example .asc from some file that you have in  
your public directory, I'd be happy to verify that it works.


Craig

On Jan 3, 2010, at 3:42 PM, Peter Firmstone wrote:


Thanks Robert,


GnuPG 1.4.10 has no trouble creating 4096 bit keys and it compiles  
cleanly on Solaris, I have a set generated, I just wasn't sure if  
there was some reason I should be using the later version.  1.4.10  
is still being maintained, its recommended for servers and embedded,  
while 2.0.14 is preferred for desktops.



If no one objects, I'd be happy to use the keys to sign the AR2  
release.


Cheers,

Peter.


Robert Burrell Donkin wrote:

On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <[email protected]>  
wrote:



I've been attempting to compile and install GnuPG 2.0.14 as per
http://www.apache.org/dev/openpgp.html#generate-key


Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses  
funopen
or fopencookie calls that don't exist on Solaris 10.  NB. I  
succeeded
getting GNU PThreads library version 2.0.7 compiled and installed,  
which

incidentally requested I email the author, to included it the tested
platforms (after passing all tests).

Other libraries required that I compiled and installed were:
libgcrypt
libksba
libgpg-error

I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.

Is there anything on Solaris 10 that is considered suitable for key
generation for Apache?



IIRC 1.4.10 has the required changes backported from the 2.x
codestream but i haven't had time to verify that the keys are

correctly generated or that the configuration instructions work (i  
may
be able to find some time in Feb once my semester one exams are  
done).

it is possible - with sufficient knowledge - to create secure keys
using 1.4.9 or earlier but it's fiddly and error prone. i think - but
haven't checked - that you should be able to follow the *full*
instructions for 2.x using 1.4.10 and then verify that the signatures
created by the new key are strong enough.

- robert






Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:[email protected]
P.S. A good JDO? O, Gasp!























					Reply via email to