Hi, With the signed windows binaries and sources gpg gives: gpg: Signature made Sat 30 Mar 02:11:51 2013 EST using RSA key ID 458BCC72 gpg: Good signature from "Frédéric THOMAS <ftho...@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CEB8 E6C7 AEE2 65E4 74C7 A23D EB3C 3109 458B CC72
If you look at the key here it's only self signed. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEB3C3109458BCC72 The binaries signed by me give: gpg: Signature made Sun 31 Mar 16:06:30 2013 EST using RSA key ID AEEAD151 gpg: Good signature from "Justin Mclean <jmcl...@apache.org>" I think we need a KEYS files containing Frédéric's signature. See [1] under "What Does 'Public Key Not Found' Mean (When Verifying A Signature)?". "Unknown keys can often be downloaded from public key servers. However, these should only be trusted through a web of trust." Justin 1. http://www.apache.org/dev/release-signing.html
