Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?

2014-04-23 Thread Markus Armbruster
Anthony Liguori  writes:

> On 04/22/14 07:35, Michael Roth wrote:
>> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
>>> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
 and where is their gpg key?
>>> 
>>> Michael Roth  is doing releases:
>>> 
>>> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>>>
>>>
>>> 
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
>>> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA
>>> key ID F108B584 gpg: Good signature from "Michael Roth
>>> " gpg: aka "Michael Roth
>>> " gpg: aka "Michael Roth
>>> "
>> 
>> Missed the context, but if this is specifically about 1.7.1:
>> 
>> 1.7.1 was prior to me handling the release tarballs, Anthony
>> actually did the signing and uploading for that one. I'm a bit
>> confused though, as the key ID on that tarball is:
>> 
>> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg:
>> Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID
>> ADF0D2D9 gpg: Can't check signature: public key not found
>> 
>> I can't seem to locate ADF0D2D9 though:
>> 
>> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>> 
>> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>> 
>> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>> 
>> I think maybe Anthony might've signed it with a separate local
>> key?
>
> Yeah, I accidentally signed it with the wrong key.  Replacing the
> signature doesn't seem like the right thing to do since release
> artifacts should never change.

You could still publish the key, with some suitable signatures.



Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?

2014-04-23 Thread Stefan Hajnoczi
On Tue, Apr 22, 2014 at 09:35:07AM -0500, Michael Roth wrote:
> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > > and where is their gpg key?
> > 
> > Michael Roth  is doing releases:
> > 
> > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> > 
> > $ gpg --verify qemu-2.0.0.tar.bz2.sig 
> > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> > F108B584
> > gpg: Good signature from "Michael Roth "
> > gpg: aka "Michael Roth "
> > gpg: aka "Michael Roth "
> 
> Missed the context, but if this is specifically about 1.7.1:
> 
> 1.7.1 was prior to me handling the release tarballs, Anthony actually
> did the signing and uploading for that one. I'm a bit confused though,
> as the key ID on that tarball is:
> 
> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig 
> gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
> gpg: Can't check signature: public key not found
> 
> I can't seem to locate ADF0D2D9 though:
> 
>   http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
> 
> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
> 
>   http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
> 
> I think maybe Anthony might've signed it with a separate local key?

This is a mess :).

We need a page like this explaining how QEMU releases are signed:
https://www.kernel.org/category/signatures.html

Mike: as release manager, can you post a page like that to the QEMU
wiki?

Thanks,
Stefan



Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?

2014-04-22 Thread Michael Roth
Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > and where is their gpg key?
> 
> Michael Roth  is doing releases:
> 
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> 
> $ gpg --verify qemu-2.0.0.tar.bz2.sig 
> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth "
> gpg: aka "Michael Roth "
> gpg: aka "Michael Roth "

Missed the context, but if this is specifically about 1.7.1:

1.7.1 was prior to me handling the release tarballs, Anthony actually
did the signing and uploading for that one. I'm a bit confused though,
as the key ID on that tarball is:

mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig 
gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
gpg: Can't check signature: public key not found

I can't seem to locate ADF0D2D9 though:

  http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex

Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:

  http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex

I think maybe Anthony might've signed it with a separate local key?

> 
> Stefan




Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?

2014-04-22 Thread Peter Maydell
On 22 April 2014 14:31, Stefan Hajnoczi  wrote:
> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
>> and where is their gpg key?
>
> Michael Roth  is doing releases:
>
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth "
> gpg: aka "Michael Roth "
> gpg: aka "Michael Roth "

NB that this is different from the key used to sign the 2.0 release tags
in git; that's expected since I did the tagging and Michael did the
tarballs.

thanks
-- PMM



Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?

2014-04-22 Thread Stefan Hajnoczi
On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> and where is their gpg key?

Michael Roth  is doing releases:

http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584

$ gpg --verify qemu-2.0.0.tar.bz2.sig 
gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
F108B584
gpg: Good signature from "Michael Roth "
gpg: aka "Michael Roth "
gpg: aka "Michael Roth "

Stefan