On 12/16/13 7:15 PM, "Justin Mclean" <jus...@classsoftware.com> wrote:
>Hi, > >Have the releases been signed with a correct key? Interesting. I didn't notice that, but yeah, F8Š is a sub key. Do you know the steps I need to take to fix all of this? I've spent the past hour trying to figure out what to do. Why did sign_and_hash.sh pick my sub key? How do I update the KEYS file? Thanks, -Alex > > >Asking as [1] says this "It is recommended that your Apache email address >is used as the primary User-ID for the code signing key". The artefacts >are signed by aha...@adobe.com key F8502A44 which is obviously not an >Apache email address. > >If you ignore [1] (it's only recommended) the KEYS file contains the key >C9383D43 with a sub key of F8502A44. Looking up aha...@adobe.com here >[2] gives me the id C9383D43 not F8502A44. So it looks like it been >signed with the sub key and not the public key. My (limited) >understanding was that pubic key are used for signing and sub keys for >encryption. Does this matter? Not 100% sure but [3] + [4] seem to imply >that there might be an issue here. > >Thanks, >Justin > >1. http://www.apache.org/dev/release-signing.html#user-id >2. http://pgp.mit.edu/pks/lookup?search=aharui%40adobe.com&op=index >3. http://www.apache.org/dev/release-signing.html#subkey >4. http://www.gnupg.org/faq/subkey-cross-certify.html
