On Wed, Apr 6, 2022 at 1:28 AM Nathan Hartman <hartman.nat...@gmail.com> wrote: > On Tue, Apr 5, 2022 at 7:19 PM Mark Phippard <markp...@gmail.com> wrote: >> On Tue, Apr 5, 2022 at 4:49 PM Johan Corveleyn <jcor...@gmail.com> wrote:
>> > 4. Signature verified OK, but Mark's key not trusted, which, as Nathan >> > also said, is normal because it hasn't been crossed-signed by anyone >> > in my "web of trust". Okay, it's in the KEYS file (i.e. part of the >> > Apache records for Mark's id). This is as good as we can do, so +1. >> >> I am surprised that you all try to verify to this depth. I always just >> treated the signatures like a slightly better sha1 and did a simple >> gpg --verify to see if the signature was valid? Did you all cross sign >> each other's keys at one of the old developer meetups or something? > > gpg --verify checks if the key is in your web of trust automatically and > prints a warning if not, so it wasn't anything special we had to do. > > Perhaps other SVN devs crossed signed each other's keys in past hackathons > but mine isn't cross signed yet. Yes, at various occasions in the past we did have so called "keysigning parties", where we exchanged / cross-signed each others keys. At all of the SVN Hackathons hosted by Elego in Berlin for instance. I suppose other Apache events do them too. I don't remember the exact details, but I found some background here: https://infra.apache.org/release-signing.html#web-of-trust https://infra.apache.org/release-signing.html#key-signing-party -- Johan
