On 30 August 2013 14:48, Rob Weir <robw...@apache.org> wrote: > Moving conversation over to the dev list... > > On Sun, Aug 25, 2013 at 8:18 PM, Ariel Constenla-Haile > <arie...@apache.org> wrote: >> On Sun, Aug 25, 2013 at 05:31:35PM -0400, Rob Weir wrote: >>> > I wanted to verify the >>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc >>> > against my download. I downloaded the KEYS using: wget >>> > http://www.apache.org/dist/openoffice/KEYS Then I imported the keys. >>> > >>> > But when I ran gpg --verify it said: >>> > >>> > $ gpg --verify >>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc >>> > gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA >>> > key ID B8E50356 gpg: Can't check signature: No public key >>> > >>> > The Key ID B8E50356 is not in the set I downloaded from your KEYS >>> > file. Why is it not in there?? >>> > >>> >>> Hi Ariel, is B8E50356 your key? >> >> Yes, it is a bug that my key is not in >> http://www.apache.org/dist/openoffice/KEYS >> >> This file should be a copy of
That's debatable, see below. >> https://people.apache.org/keys/group/openoffice.asc or >> https://people.apache.org/keys/group/openoffice-pmc.asc (in case only >> PMC members are supposed to sign artifacts). >> > > Does anyone know: can we (may we?) do this now? Or is this something > to fix in 4.0.1 release? The KEY used to sign an artifact MUST be in the KEYS file that is linked from the download page(s). This is something that should be checked as part of a release vote. The files under https://people.apache.org/keys/group/ are automatically generated from LDAP. As such they only contain keys from current entries. However KEYS files may still be needed to validate archive releases where the key is not in LDAP (or the key is in LDAP but the owner is no longer in the relevant TLP or PMC group). For the above reasons, at present I don't think it makes sense to blindly copy the file. The file http://www.apache.org/dist/openoffice/KEYS has historically been manually maintained. New keys are added to the file as required. Old keys are never deleted, as they may have been used for signing archive releases. [I guess there might be a case for deleting a compromised key] So I suggest you just add the missing key(s) - with header info please - to the dist/oo/KEYS file. > -Rob > > >> >> @OP: please import the keys from >> https://people.apache.org/keys/group/openoffice-pmc.asc >> >>> > Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 >>> > (GNU/Linux) >>> > >>> > iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k >>> > GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD >>> > SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY >>> > Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL >>> > t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu >>> > rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI= >>> > =0QtH -----END PGP SIGNATURE----- >> >> I suggest you configure Enigmail in Thunderbird to sign using PGP/MIME >> instead of the old-fashioned inline-PGP, in Thunderbird's Account >> Settings go to OpenPGP Options and enable "Use PGP/MIME by default", as >> explained here http://www.rainydayz.org/content/81-account-settings >> >> >> Regards >> -- >> Ariel Constenla-Haile >> La Plata, Argentina > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
