Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On Tue, Apr 22, 2014 at 09:35:07AM -0500, Michael Roth wrote: Quoting Stefan Hajnoczi (2014-04-22 08:31:08) On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? Michael Roth mdr...@linux.vnet.ibm.com is doing releases: http://pgp.mit.edu/pks/lookup?op=vindexsearch=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from Michael Roth fluks...@gmail.com gpg: aka Michael Roth mdr...@utexas.edu gpg: aka Michael Roth mdr...@linux.vnet.ibm.com Missed the context, but if this is specifically about 1.7.1: 1.7.1 was prior to me handling the release tarballs, Anthony actually did the signing and uploading for that one. I'm a bit confused though, as the key ID on that tarball is: mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9 gpg: Can't check signature: public key not found I can't seem to locate ADF0D2D9 though: http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9op=vindex Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: http://pgp.mit.edu/pks/lookup?search=0x7C18C076op=vindex I think maybe Anthony might've signed it with a separate local key? This is a mess :). We need a page like this explaining how QEMU releases are signed: https://www.kernel.org/category/signatures.html Mike: as release manager, can you post a page like that to the QEMU wiki? Thanks, Stefan
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
Anthony Liguori aligu...@amazon.com writes: On 04/22/14 07:35, Michael Roth wrote: Quoting Stefan Hajnoczi (2014-04-22 08:31:08) On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? Michael Roth mdr...@linux.vnet.ibm.com is doing releases: http://pgp.mit.edu/pks/lookup?op=vindexsearch=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from Michael Roth fluks...@gmail.com gpg: aka Michael Roth mdr...@utexas.edu gpg: aka Michael Roth mdr...@linux.vnet.ibm.com Missed the context, but if this is specifically about 1.7.1: 1.7.1 was prior to me handling the release tarballs, Anthony actually did the signing and uploading for that one. I'm a bit confused though, as the key ID on that tarball is: mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9 gpg: Can't check signature: public key not found I can't seem to locate ADF0D2D9 though: http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9op=vindex Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: http://pgp.mit.edu/pks/lookup?search=0x7C18C076op=vindex I think maybe Anthony might've signed it with a separate local key? Yeah, I accidentally signed it with the wrong key. Replacing the signature doesn't seem like the right thing to do since release artifacts should never change. You could still publish the key, with some suitable signatures.
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? Michael Roth mdr...@linux.vnet.ibm.com is doing releases: http://pgp.mit.edu/pks/lookup?op=vindexsearch=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from Michael Roth fluks...@gmail.com gpg: aka Michael Roth mdr...@utexas.edu gpg: aka Michael Roth mdr...@linux.vnet.ibm.com Stefan
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On 22 April 2014 14:31, Stefan Hajnoczi stefa...@gmail.com wrote: On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? Michael Roth mdr...@linux.vnet.ibm.com is doing releases: http://pgp.mit.edu/pks/lookup?op=vindexsearch=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from Michael Roth fluks...@gmail.com gpg: aka Michael Roth mdr...@utexas.edu gpg: aka Michael Roth mdr...@linux.vnet.ibm.com NB that this is different from the key used to sign the 2.0 release tags in git; that's expected since I did the tagging and Michael did the tarballs. thanks -- PMM
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
Quoting Stefan Hajnoczi (2014-04-22 08:31:08) On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? Michael Roth mdr...@linux.vnet.ibm.com is doing releases: http://pgp.mit.edu/pks/lookup?op=vindexsearch=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from Michael Roth fluks...@gmail.com gpg: aka Michael Roth mdr...@utexas.edu gpg: aka Michael Roth mdr...@linux.vnet.ibm.com Missed the context, but if this is specifically about 1.7.1: 1.7.1 was prior to me handling the release tarballs, Anthony actually did the signing and uploading for that one. I'm a bit confused though, as the key ID on that tarball is: mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9 gpg: Can't check signature: public key not found I can't seem to locate ADF0D2D9 though: http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9op=vindex Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: http://pgp.mit.edu/pks/lookup?search=0x7C18C076op=vindex I think maybe Anthony might've signed it with a separate local key? Stefan