Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
Anthony Liguori writes: > On 04/22/14 07:35, Michael Roth wrote: >> Quoting Stefan Hajnoczi (2014-04-22 08:31:08) >>> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: and where is their gpg key? >>> >>> Michael Roth is doing releases: >>> >>> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 >>> >>> >>> > $ gpg --verify qemu-2.0.0.tar.bz2.sig >>> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA >>> key ID F108B584 gpg: Good signature from "Michael Roth >>> " gpg: aka "Michael Roth >>> " gpg: aka "Michael Roth >>> " >> >> Missed the context, but if this is specifically about 1.7.1: >> >> 1.7.1 was prior to me handling the release tarballs, Anthony >> actually did the signing and uploading for that one. I'm a bit >> confused though, as the key ID on that tarball is: >> >> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: >> Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID >> ADF0D2D9 gpg: Can't check signature: public key not found >> >> I can't seem to locate ADF0D2D9 though: >> >> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex >> >> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: >> >> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex >> >> I think maybe Anthony might've signed it with a separate local >> key? > > Yeah, I accidentally signed it with the wrong key. Replacing the > signature doesn't seem like the right thing to do since release > artifacts should never change. You could still publish the key, with some suitable signatures.
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On Tue, Apr 22, 2014 at 09:35:07AM -0500, Michael Roth wrote: > Quoting Stefan Hajnoczi (2014-04-22 08:31:08) > > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: > > > and where is their gpg key? > > > > Michael Roth is doing releases: > > > > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 > > > > $ gpg --verify qemu-2.0.0.tar.bz2.sig > > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID > > F108B584 > > gpg: Good signature from "Michael Roth " > > gpg: aka "Michael Roth " > > gpg: aka "Michael Roth " > > Missed the context, but if this is specifically about 1.7.1: > > 1.7.1 was prior to me handling the release tarballs, Anthony actually > did the signing and uploading for that one. I'm a bit confused though, > as the key ID on that tarball is: > > mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig > gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9 > gpg: Can't check signature: public key not found > > I can't seem to locate ADF0D2D9 though: > > http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex > > Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: > > http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex > > I think maybe Anthony might've signed it with a separate local key? This is a mess :). We need a page like this explaining how QEMU releases are signed: https://www.kernel.org/category/signatures.html Mike: as release manager, can you post a page like that to the QEMU wiki? Thanks, Stefan
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
Quoting Stefan Hajnoczi (2014-04-22 08:31:08) > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: > > and where is their gpg key? > > Michael Roth is doing releases: > > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 > > $ gpg --verify qemu-2.0.0.tar.bz2.sig > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID > F108B584 > gpg: Good signature from "Michael Roth " > gpg: aka "Michael Roth " > gpg: aka "Michael Roth " Missed the context, but if this is specifically about 1.7.1: 1.7.1 was prior to me handling the release tarballs, Anthony actually did the signing and uploading for that one. I'm a bit confused though, as the key ID on that tarball is: mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9 gpg: Can't check signature: public key not found I can't seem to locate ADF0D2D9 though: http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex I think maybe Anthony might've signed it with a separate local key? > > Stefan
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On 22 April 2014 14:31, Stefan Hajnoczi wrote: > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: >> and where is their gpg key? > > Michael Roth is doing releases: > > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 > > $ gpg --verify qemu-2.0.0.tar.bz2.sig > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID > F108B584 > gpg: Good signature from "Michael Roth " > gpg: aka "Michael Roth " > gpg: aka "Michael Roth " NB that this is different from the key used to sign the 2.0 release tags in git; that's expected since I did the tagging and Michael did the tarballs. thanks -- PMM
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: > and where is their gpg key? Michael Roth is doing releases: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 $ gpg --verify qemu-2.0.0.tar.bz2.sig gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID F108B584 gpg: Good signature from "Michael Roth " gpg: aka "Michael Roth " gpg: aka "Michael Roth " Stefan