[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing key for 0.10.0
|
From: |
Benson Muite |
|
Subject: |
Re: Signing key for 0.10.0 |
|
Date: |
Thu, 29 Jun 2023 22:19:52 +0300 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 |
On 6/28/23 15:31, Benson Muite wrote:
> On 6/28/23 12:22, Arun Isaac wrote:
>>
>> Hi,
>>
>> Thanks for reporting this! The new signing key is mine. I joined the
>> skribilo team recently as a maintainer, and made the latest release. So,
>> I signed it with my key. But, I see this is probably not the best
>> idea. It would cause quite a lot of confusion everytime we have new
>> maintainers on the team.
>>
>> @Ludo: How should we best handle release signatures? Should we resign
>> the latest release with your key?
>>
>> Regards,
>> Arun
> Hi Arun,
> Thanks for maintaining Skribilo. Locally on my machine, get
> $ gpg2 --verify skribilo-0.10.0.tar.gz.sig
> gpg: assuming signed data in 'skribilo-0.10.0.tar.gz'
> gpg: Signature made Wed 08 Mar 2023 04:11:11 AM EAT
> gpg: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3
> gpg: Good signature from "Arun I <arunisaac@systemreboot.net>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 7F73 0343 F2F0 9F3C 77BF 79D3 2E25 EE8B 6180 2BB3
>
> $ gpg2 --verify skribilo-0.9.5.tar.gz.sig
> gpg: assuming signed data in 'skribilo-0.9.5.tar.gz'
> gpg: Signature made Sun 01 Nov 2020 08:31:29 PM EAT
> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
> gpg: aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
> gpg: aka "Ludovic Courtès (Inria)
> <ludovic.courtes@inria.fr>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
>
> So it seems signed. However following:
> https://ftp.gnu.org/README
>
> $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.10.0.tar.gz.sig
> skribilo-0.10.0.tar.gz
> gpgv: Signature made Wed 08 Mar 2023 04:11:11 AM EAT
> gpgv: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3
> gpgv: Can't check signature: No public key
>
> $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.9.5.tar.gz.sig
> skribilo-0.9.5.tar.gz
> gpgv: Signature made Sun 01 Nov 2020 08:31:29 PM EAT
> gpgv: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
> gpgv: Good signature from "Ludovic Courtès <ludo@gnu.org>"
> gpgv: aka "Ludovic Courtès <ludo@chbouib.org>"
> gpgv: aka "Ludovic Courtès (Inria)
> <ludovic.courtes@inria.fr>"
>
> So it seems you need to have your key added to those in GNUs keyring.
> Not sure what the process for this is, but hopefully it can be done.
>
> Regards,
> Benson
>
Arun,
The keys from
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7f730343f2f09f3c77bf79d32e25ee8b61802bb3
https://systemreboot.net/about/arunisaac.pub
Work, but the key from
https://keys.openpgp.org/vks/v1/by-fingerprint/7F730343F2F09F3C77BF79D32E25EE8B61802BB3
had an error when doing the verification.
Benson