[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] Using GPG to securely install Jetty
|
FWIW, that is me :)
Key fingerprint = 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886
uid Jesse McConnell (signing key) <jesse.mcconnell@xxxxxxxxx>
I have advocated a key signing setup at the Eclipse Foundation before
but there was no interest in extending the circle of trust behind the
foundation key which is a palaver to use and not suitable for a normal
maven release process like ours.
I will float the idea of the rest of the jetty developers doing a
signing party though, probably long overdue.
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Fri, Oct 3, 2014 at 3:25 PM, Rob Nikander <rob.nikander@xxxxxxxxx> wrote:
> Hi,
>
> If I download the main Jetty tar.gz
> (http://download.eclipse.org/jetty/stable-9/dist/), and then the signature
> file, and then run `gpg --verify` ... it says it's a good signature, but how
> do I know it wasn't just tampered with and resigned by some random person?
> How do I know that this is the right key?
>
> gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID
> D7C58886
> gpg: Good signature from "Jesse McConnell (signing key)
> <jesse.mcconnell@xxxxxxxxx>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886
>
> Rob
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
