[jetty-users] Using GPG to securely install Jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Using GPG to securely install Jetty

From: Rob Nikander <rob.nikander@xxxxxxxxx>
Date: Fri, 3 Oct 2014 16:25:22 -0400
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi,

If I download the main Jetty tar.gz (http://download.eclipse.org/jetty/stable-9/dist/), and then the signature file, and then run `gpg --verify` ... it says it's a good signature, but how do I know it wasn't just tampered with and resigned by some random person? How do I know that this is the right key?

gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID D7C58886

gpg: Good signature from "Jesse McConnell (signing key) <jesse.mcconnell@xxxxxxxxx>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886

Rob

Follow-Ups:
- Re: [jetty-users] Using GPG to securely install Jetty
  - From: Jesse McConnell

Prev by Date: [jetty-users] Embedded jetty - update keystore/truststore while running
Next by Date: Re: [jetty-users] Using GPG to securely install Jetty
Previous by thread: [jetty-users] Embedded jetty - update keystore/truststore while running
Next by thread: Re: [jetty-users] Using GPG to securely install Jetty
Index(es):
- Date
- Thread

Breadcrumbs