On 04/29/13 19:35, Scott Baldwin wrote:
> I was able to verify it with the .sig from gnu.org ftp, along with the info
> at http://ftp.gnu.org/ about where to obtain the gnu-keyring.gpg file.
>
> A suggestion... In addition to making sure the .sig is copied to your
> mirrors, I recommend including the gnu-keyring.gpg info (from
> http://ftp.gnu.org) at http://gcc.gnu.org/mirrors.html instead of just
> saying "The archives on these mirrors will be signed by one of the following
> GnuPG keys: ..." and listing the fingerprints (but not providing the actual
> keys).
>
> One more thing... 4.8.0 was signed with an expired key:
>
> $ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig
> gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID
> C3C45C06
> gpg: Good signature from "Jakub Jelinek <ja...@redhat.com>"
> gpg: Note: This key has expired!
> Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2
> C3C4 5C06
>
[snip]
Using the following files:
http://open-source-box.org/gcc/gcc-4.8.0/gcc-4.8.0.tar.bz2
http://open-source-box.org/gcc/gcc-4.8.0/gcc-4.8.0.tar.bz2.sig
http://ftp.gnu.org/gnu/gnu-keyring.gpg
the verification command and result are:
~/download/gcc/4.8 $ gpg --verify --keyring ./gnu-keyring.gpg
./gcc-4.8.0.tar.bz2.sig
gpg: Signature made Fri Mar 22 08:32:18 2013 CDT using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <ja...@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
~/download/gcc/4.8 $
Should I be worried about the gpg: WARNING?
TIA.
-Larry
