You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-user@db.apache.org by Tena Sakai <ts...@gallo.ucsf.edu> on 2009/05/19 23:43:53 UTC
newbie confused about "verifying release"
Hi,
I am a newbie and just got started with derby. I was doing what this page
http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
instructed.
The host is a redhat linux.
uname -vro
returns:
2.6.9-78.0.1.ELsmp #1 SMP Tue Jul 22 18:01:05 EDT 2008 GNU/Linux
Here are responses from the two commands:
[tsakai@vixen Derby]$ gpg --import KEYS
gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>" not changed
gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <fu...@nonintuitive.com>" not changed
gpg: key 21EA3ECD: "Mike Matrigali <mi...@sbcglobal.net>" not changed
gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <sa...@Sourcery.Org>" not changed
gpg: key 99586C26: "Jean T. Anderson <jt...@bristowhill.com>" not changed
gpg: key B1669287: "Kathey Marsden <km...@apache.org>" not changed
gpg: key 98E21827: "Rick Hillegas <rh...@apache.org>" not changed
gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <da...@apache.org>" not changed
gpg: key 990ED4AA: "Knut Anders Hatlen <ka...@apache.org>" not changed
gpg: key 88D83722: "Andreas Korneliussen <an...@broadpark.no>" not changed
gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <da...@apache.org>" not changed
gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not changed
gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
gpg: Total number processed: 13
gpg: unchanged: 13
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A
[tsakai@vixen Derby]$
What I don't understand is at the bottom:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Can someone please clue me in? Is this good, bad, neutral?
Should I do something (and if so, what)? Should I ignore and move on?
Thank you in advance.
Regards,
Tena Sakai
tsakai@gallo.ucsf.edu
RE: newbie confused about "verifying release"
Posted by Tena Sakai <ts...@gallo.ucsf.edu>.
Hi Kurt,
Many thanks for your reply.
I redid everything by downloading the .gz file,
.gz.asc, and .gz.md5. I was a bit skeptical,
but to my surprise I was able to produce exactly
the same thing as you did.
[tsakai@vixen Derby]$ gpg --refresh-keys
.
.
gpg: Total number processed: 20
gpg: unchanged: 17
gpg: new user IDs: 5
gpg: new signatures: 263
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --update-trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ md5sum db-derby-10.5.1.1-src.tar.gz
f5c2d8c6546757243e2c8cf79fd944fe db-derby-10.5.1.1-src.tar.gz
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ cat db-derby-10.5.1.1-src.tar.gz.md5
F5C2D8C6546757243E2C8CF79FD944FE
[tsakai@vixen Derby]$
Thanks again.
Regards,
Tena Sakai
tsakai@gallo.ucsf.edu
-----Original Message-----
From: Kurt Huwig [mailto:k.huwig@iku-ag.de]
Sent: Wed 5/20/2009 1:17 AM
To: derby-user@db.apache.org
Cc: Tena Sakai
Subject: Re: newbie confused about "verifying release"
Tena,
I guess your download is broken. If I do the same, I get a GOOD signature:
kurt@pckurt:~/Install/Java$ LANG=en gpg --verify db-derby-10.5.1.1-
src.tar.gz.asc
gpg: Signature made Tue Apr 14 23:27:52 2009 CEST using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A
You should verify the download with MD5:
kurt@pckurt:~/Install/Java$ md5sum db-derby-10.5.1.1-src.tar.gz
f5c2d8c6546757243e2c8cf79fd944fe db-derby-10.5.1.1-src.tar.gz
kurt@pckurt:~/Install/Java$ cat db-derby-10.5.1.1-src.tar.gz.md5
F5C2D8C6546757243E2C8CF79FD944FE
Regarding the warning: as the others pointed out, you do not know if you have
downloaded the original key of Myrna or a faked copy. Everybody can create a
key that reads "Myrna van Lunteren <m....@gmail.com>". Therefore there
is something called the "web of trust" where people verify the correctness of
a key and do a digital signature on it. For example if you'd trust my GPG key
and I'd sign Myrna's key, then you could verify that you downloaded the
correct key by verifying my signature on the key you downloaded, because this
is something that noone can fake.
http://en.wikipedia.org/wiki/Web_of_Trust
On Wednesday 20 May 2009 04:22:40 Tena Sakai wrote:
> Hi Myrna,
> Hi kathy,
>
> Thanks for your reply. I read what you pointed out to me and
> I thought I understood what Knut Anders mentioned. Accordingly
> I executed what was suggested, but I am left with the same
> message as I posted the second time:
>
> [tsakai@vixen Derby]$ gpg --refresh-keys
> gpg: refreshing 24 keys from hkp://subkeys.pgp.net
> gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" 3 new signatures
> gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not
> changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer)
> <da...@apache.org>" 13 new signatures gpg: key 88D83722: "Andreas
> Korneliussen <an...@apache.org>" 1 new user ID gpg: key 88D83722:
> "Andreas Korneliussen <an...@apache.org>" 12 new signatures gpg: can't
> get key from keyserver: Connection timed out
> gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key)
> <da...@apache.org>" 19 new signatures gpg: key 98E21827: "Rick Hillegas
> <rh...@apache.org>" 7 new signatures gpg: key B1669287: "Kathey Marsden
> <km...@apache.org>" not changed gpg: key 99586C26: "Jean T. Anderson
> (IBM) (adding IBM email) <ja...@us.ibm.com>" 2 new user IDs gpg: key
> 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <ja...@us.ibm.com>"
> 98 new signatures gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby
> Project) <sa...@Sourcery.Org>" not changed gpg: can't get key from
> keyserver: Connection timed out
> gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 3 new user
> IDs gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 119 new
> signatures gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>"
> not changed gpg: no valid OpenPGP data found.
> gpg: key AA0077B0: "Kev Jackson (apache key) <ke...@apache.org>" not
> changed gpg: key C152431A: "Steve Loughran <st...@apache.org>" 5 new
> signatures gpg: can't get key from keyserver: Connection timed out
> gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer)
> <an...@apache.org>" 4 new signatures gpg: key EDF62C35: "Magesh Umasankar
> <um...@apache.org>" 1 new signature gpg: key 307A10A5: "Henri Gomez
> <hg...@users.sourceforge.net>" 7 new signatures gpg: key 397DCAD5: "Henri
> Gomez <hg...@users.sourceforge.net>" 2 new signatures gpg: key 697ECEDD:
> "Henri Gomez <hg...@apache.org>" 1 new user ID gpg: key 697ECEDD: "Henri
> Gomez <hg...@apache.org>" 6 new signatures gpg: can't get key from
> keyserver: Connection timed out
> gpg: key FEECAAED: "Stefan Bodewig <bo...@apache.org>" 19 new
> signatures gpg: Total number processed: 19
> gpg: unchanged: 5
> gpg: new user IDs: 7
> gpg: new signatures: 315
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ echo $?
> 2
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --update-trustdb
> gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A gpg: BAD signature from "Myrna van Lunteren
> <m....@gmail.com>" [tsakai@vixen Derby]$
>
> It appears that --refresh-keys indeed did stuff, although it took
> a long time (which is evidenced by "Connection timed out" messages.
> That said, it didn't seem to have changed the bottom line. I don't
> like the line:
> BAD signature from "Myrna van Lunteren <m....@gmail.com>"
> It sounds a bit ominous and definite.
>
> Perhaps this is not something I should waste more time on?
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu
>
>
> -----Original Message-----
> From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
> Sent: Tue 5/19/2009 3:54 PM
> To: Derby Discussion
> Subject: Re: newbie confused about "verifying release"
>
> On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <ts...@gallo.ucsf.edu> wrote:
> > Hi,
> >
> > I am a newbie and just got started with derby. I was doing what this
> > page
> >
> > http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releas
> >es instructed.
>
> [...snip...]
>
> > Here are responses from the two commands:
> > [tsakai@vixen Derby]$ gpg --import KEYS
>
> [...snip...]
>
> > gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
> > gpg: Total number processed: 13
> > gpg: unchanged: 13
> > [tsakai@vixen Derby]$
> > [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> > gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> > 37AA956A
> > gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> > owner.
> > Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA
> > 956A
> > [tsakai@vixen Derby]$
> >
> > What I don't understand is at the bottom:
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> > owner.
> >
> > Can someone please clue me in? Is this good, bad, neutral?
> > Should I do something (and if so, what)? Should I ignore and move on?
> >
> > Thank you in advance.
> >
> > Regards,
> >
> > Tena Sakai
> > tsakai@gallo.ucsf.edu
>
> You're not the first to ever have been confused by this. There was a
> thread on our derby-developers list on this issue a long time ago, re
> 10.4.2.0, see:
> http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html
>
> Knut Anders' response in the final mail on that thread is helpful;
> " Note that gpg told you that the signature was good. What it
> warned you about, was that you didn't trust anyone who had signed Rick's
> key. You can update your trust db with "gpg --update-trustdb"."
>
> In this case, it appears it is *my* signature that is not known by
> 'you' or anyone 'you' (your pgp program, that is) know. But as I
> understand it, that's still ok.
>
> Myrna
--
Mit freundlichen Grüßen
Kurt Huwig (Vorstand) Telefon 0681 / 3 72 00 36 - 50
http://www.iku-ag.de/ Telefax 0681 / 3 72 00 36 - 59
iKu Systemhaus AG, Altenkesseler Straße 17/Gebäude C1, 66115 Saarbrücken
Amtsgericht: Saarbrücken, HRB 13240
Vorstand: Kurt Huwig Aufsichtsratsvorsitzender: Jan Bankstahl
GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468
Re: newbie confused about "verifying release"
Posted by Kurt Huwig <k....@iku-ag.de>.
Tena,
I guess your download is broken. If I do the same, I get a GOOD signature:
kurt@pckurt:~/Install/Java$ LANG=en gpg --verify db-derby-10.5.1.1-
src.tar.gz.asc
gpg: Signature made Tue Apr 14 23:27:52 2009 CEST using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A
You should verify the download with MD5:
kurt@pckurt:~/Install/Java$ md5sum db-derby-10.5.1.1-src.tar.gz
f5c2d8c6546757243e2c8cf79fd944fe db-derby-10.5.1.1-src.tar.gz
kurt@pckurt:~/Install/Java$ cat db-derby-10.5.1.1-src.tar.gz.md5
F5C2D8C6546757243E2C8CF79FD944FE
Regarding the warning: as the others pointed out, you do not know if you have
downloaded the original key of Myrna or a faked copy. Everybody can create a
key that reads "Myrna van Lunteren <m....@gmail.com>". Therefore there
is something called the "web of trust" where people verify the correctness of
a key and do a digital signature on it. For example if you'd trust my GPG key
and I'd sign Myrna's key, then you could verify that you downloaded the
correct key by verifying my signature on the key you downloaded, because this
is something that noone can fake.
http://en.wikipedia.org/wiki/Web_of_Trust
On Wednesday 20 May 2009 04:22:40 Tena Sakai wrote:
> Hi Myrna,
> Hi kathy,
>
> Thanks for your reply. I read what you pointed out to me and
> I thought I understood what Knut Anders mentioned. Accordingly
> I executed what was suggested, but I am left with the same
> message as I posted the second time:
>
> [tsakai@vixen Derby]$ gpg --refresh-keys
> gpg: refreshing 24 keys from hkp://subkeys.pgp.net
> gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" 3 new signatures
> gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not
> changed gpg: key 5355D01C: "Dag H. Wanvik (Derby committer)
> <da...@apache.org>" 13 new signatures gpg: key 88D83722: "Andreas
> Korneliussen <an...@apache.org>" 1 new user ID gpg: key 88D83722:
> "Andreas Korneliussen <an...@apache.org>" 12 new signatures gpg: can't
> get key from keyserver: Connection timed out
> gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key)
> <da...@apache.org>" 19 new signatures gpg: key 98E21827: "Rick Hillegas
> <rh...@apache.org>" 7 new signatures gpg: key B1669287: "Kathey Marsden
> <km...@apache.org>" not changed gpg: key 99586C26: "Jean T. Anderson
> (IBM) (adding IBM email) <ja...@us.ibm.com>" 2 new user IDs gpg: key
> 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <ja...@us.ibm.com>"
> 98 new signatures gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby
> Project) <sa...@Sourcery.Org>" not changed gpg: can't get key from
> keyserver: Connection timed out
> gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 3 new user
> IDs gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 119 new
> signatures gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>"
> not changed gpg: no valid OpenPGP data found.
> gpg: key AA0077B0: "Kev Jackson (apache key) <ke...@apache.org>" not
> changed gpg: key C152431A: "Steve Loughran <st...@apache.org>" 5 new
> signatures gpg: can't get key from keyserver: Connection timed out
> gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer)
> <an...@apache.org>" 4 new signatures gpg: key EDF62C35: "Magesh Umasankar
> <um...@apache.org>" 1 new signature gpg: key 307A10A5: "Henri Gomez
> <hg...@users.sourceforge.net>" 7 new signatures gpg: key 397DCAD5: "Henri
> Gomez <hg...@users.sourceforge.net>" 2 new signatures gpg: key 697ECEDD:
> "Henri Gomez <hg...@apache.org>" 1 new user ID gpg: key 697ECEDD: "Henri
> Gomez <hg...@apache.org>" 6 new signatures gpg: can't get key from
> keyserver: Connection timed out
> gpg: key FEECAAED: "Stefan Bodewig <bo...@apache.org>" 19 new
> signatures gpg: Total number processed: 19
> gpg: unchanged: 5
> gpg: new user IDs: 7
> gpg: new signatures: 315
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ echo $?
> 2
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --update-trustdb
> gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A gpg: BAD signature from "Myrna van Lunteren
> <m....@gmail.com>" [tsakai@vixen Derby]$
>
> It appears that --refresh-keys indeed did stuff, although it took
> a long time (which is evidenced by "Connection timed out" messages.
> That said, it didn't seem to have changed the bottom line. I don't
> like the line:
> BAD signature from "Myrna van Lunteren <m....@gmail.com>"
> It sounds a bit ominous and definite.
>
> Perhaps this is not something I should waste more time on?
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu
>
>
> -----Original Message-----
> From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
> Sent: Tue 5/19/2009 3:54 PM
> To: Derby Discussion
> Subject: Re: newbie confused about "verifying release"
>
> On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <ts...@gallo.ucsf.edu> wrote:
> > Hi,
> >
> > I am a newbie and just got started with derby. I was doing what this
> > page
> >
> > http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releas
> >es instructed.
>
> [...snip...]
>
> > Here are responses from the two commands:
> > [tsakai@vixen Derby]$ gpg --import KEYS
>
> [...snip...]
>
> > gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
> > gpg: Total number processed: 13
> > gpg: unchanged: 13
> > [tsakai@vixen Derby]$
> > [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> > gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> > 37AA956A
> > gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> > owner.
> > Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA
> > 956A
> > [tsakai@vixen Derby]$
> >
> > What I don't understand is at the bottom:
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the
> > owner.
> >
> > Can someone please clue me in? Is this good, bad, neutral?
> > Should I do something (and if so, what)? Should I ignore and move on?
> >
> > Thank you in advance.
> >
> > Regards,
> >
> > Tena Sakai
> > tsakai@gallo.ucsf.edu
>
> You're not the first to ever have been confused by this. There was a
> thread on our derby-developers list on this issue a long time ago, re
> 10.4.2.0, see:
> http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html
>
> Knut Anders' response in the final mail on that thread is helpful;
> " Note that gpg told you that the signature was good. What it
> warned you about, was that you didn't trust anyone who had signed Rick's
> key. You can update your trust db with "gpg --update-trustdb"."
>
> In this case, it appears it is *my* signature that is not known by
> 'you' or anyone 'you' (your pgp program, that is) know. But as I
> understand it, that's still ok.
>
> Myrna
--
Mit freundlichen Grüßen
Kurt Huwig (Vorstand) Telefon 0681 / 3 72 00 36 - 50
http://www.iku-ag.de/ Telefax 0681 / 3 72 00 36 - 59
iKu Systemhaus AG, Altenkesseler Straße 17/Gebäude C1, 66115 Saarbrücken
Amtsgericht: Saarbrücken, HRB 13240
Vorstand: Kurt Huwig Aufsichtsratsvorsitzender: Jan Bankstahl
GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468
RE: newbie confused about "verifying release"
Posted by Tena Sakai <ts...@gallo.ucsf.edu>.
Hi Myrna,
Hi kathy,
Thanks for your reply. I read what you pointed out to me and
I thought I understood what Knut Anders mentioned. Accordingly
I executed what was suggested, but I am left with the same
message as I posted the second time:
[tsakai@vixen Derby]$ gpg --refresh-keys
gpg: refreshing 24 keys from hkp://subkeys.pgp.net
gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" 3 new signatures
gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not changed
gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <da...@apache.org>" 13 new signatures
gpg: key 88D83722: "Andreas Korneliussen <an...@apache.org>" 1 new user ID
gpg: key 88D83722: "Andreas Korneliussen <an...@apache.org>" 12 new signatures
gpg: can't get key from keyserver: Connection timed out
gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <da...@apache.org>" 19 new signatures
gpg: key 98E21827: "Rick Hillegas <rh...@apache.org>" 7 new signatures
gpg: key B1669287: "Kathey Marsden <km...@apache.org>" not changed
gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <ja...@us.ibm.com>" 2 new user IDs
gpg: key 99586C26: "Jean T. Anderson (IBM) (adding IBM email) <ja...@us.ibm.com>" 98 new signatures
gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <sa...@Sourcery.Org>" not changed
gpg: can't get key from keyserver: Connection timed out
gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 3 new user IDs
gpg: key AB821FBC: "Andrew McIntyre <fu...@apache.org>" 119 new signatures
gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>" not changed
gpg: no valid OpenPGP data found.
gpg: key AA0077B0: "Kev Jackson (apache key) <ke...@apache.org>" not changed
gpg: key C152431A: "Steve Loughran <st...@apache.org>" 5 new signatures
gpg: can't get key from keyserver: Connection timed out
gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer) <an...@apache.org>" 4 new signatures
gpg: key EDF62C35: "Magesh Umasankar <um...@apache.org>" 1 new signature
gpg: key 307A10A5: "Henri Gomez <hg...@users.sourceforge.net>" 7 new signatures
gpg: key 397DCAD5: "Henri Gomez <hg...@users.sourceforge.net>" 2 new signatures
gpg: key 697ECEDD: "Henri Gomez <hg...@apache.org>" 1 new user ID
gpg: key 697ECEDD: "Henri Gomez <hg...@apache.org>" 6 new signatures
gpg: can't get key from keyserver: Connection timed out
gpg: key FEECAAED: "Stefan Bodewig <bo...@apache.org>" 19 new signatures
gpg: Total number processed: 19
gpg: unchanged: 5
gpg: new user IDs: 7
gpg: new signatures: 315
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ echo $?
2
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --update-trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
gpg: BAD signature from "Myrna van Lunteren <m....@gmail.com>"
[tsakai@vixen Derby]$
It appears that --refresh-keys indeed did stuff, although it took
a long time (which is evidenced by "Connection timed out" messages.
That said, it didn't seem to have changed the bottom line. I don't
like the line:
BAD signature from "Myrna van Lunteren <m....@gmail.com>"
It sounds a bit ominous and definite.
Perhaps this is not something I should waste more time on?
Regards,
Tena Sakai
tsakai@gallo.ucsf.edu
-----Original Message-----
From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
Sent: Tue 5/19/2009 3:54 PM
To: Derby Discussion
Subject: Re: newbie confused about "verifying release"
On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <ts...@gallo.ucsf.edu> wrote:
> Hi,
>
> I am a newbie and just got started with derby. I was doing what this page
>
> http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
> instructed.
>
[...snip...]
> Here are responses from the two commands:
> [tsakai@vixen Derby]$ gpg --import KEYS
[...snip...]
> gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
> gpg: Total number processed: 13
> gpg: unchanged: 13
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A
> gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA
> 956A
> [tsakai@vixen Derby]$
>
> What I don't understand is at the bottom:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> Can someone please clue me in? Is this good, bad, neutral?
> Should I do something (and if so, what)? Should I ignore and move on?
>
> Thank you in advance.
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu
You're not the first to ever have been confused by this. There was a
thread on our derby-developers list on this issue a long time ago, re
10.4.2.0, see:
http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html
Knut Anders' response in the final mail on that thread is helpful;
" Note that gpg told you that the signature was good. What it
warned you about, was that you didn't trust anyone who had signed Rick's
key. You can update your trust db with "gpg --update-trustdb"."
In this case, it appears it is *my* signature that is not known by
'you' or anyone 'you' (your pgp program, that is) know. But as I
understand it, that's still ok.
Myrna
Re: newbie confused about "verifying release"
Posted by Myrna van Lunteren <m....@gmail.com>.
On Tue, May 19, 2009 at 2:43 PM, Tena Sakai <ts...@gallo.ucsf.edu> wrote:
> Hi,
>
> I am a newbie and just got started with derby. I was doing what this page
>
> http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
> instructed.
>
[...snip...]
> Here are responses from the two commands:
> [tsakai@vixen Derby]$ gpg --import KEYS
[...snip...]
> gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
> gpg: Total number processed: 13
> gpg: unchanged: 13
> [tsakai@vixen Derby]$
> [tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
> gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID
> 37AA956A
> gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA
> 956A
> [tsakai@vixen Derby]$
>
> What I don't understand is at the bottom:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> Can someone please clue me in? Is this good, bad, neutral?
> Should I do something (and if so, what)? Should I ignore and move on?
>
> Thank you in advance.
>
> Regards,
>
> Tena Sakai
> tsakai@gallo.ucsf.edu
You're not the first to ever have been confused by this. There was a
thread on our derby-developers list on this issue a long time ago, re
10.4.2.0, see:
http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html
Knut Anders' response in the final mail on that thread is helpful;
" Note that gpg told you that the signature was good. What it
warned you about, was that you didn't trust anyone who had signed Rick's
key. You can update your trust db with "gpg --update-trustdb"."
In this case, it appears it is *my* signature that is not known by
'you' or anyone 'you' (your pgp program, that is) know. But as I
understand it, that's still ok.
Myrna
RE: newbie confused about "verifying release"
Posted by Tena Sakai <ts...@gallo.ucsf.edu>.
Hi,
Confusion part 2:
I untar'ed the tree and found a file called KEYS in the
src directory. I used this set of keys to do the same
thing as before. Here's the response:
[tsakai@vixen Derby]$ gpg --import KEYS
gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>" not changed
gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <fu...@nonintuitive.com>" not changed
gpg: key 21EA3ECD: "Mike Matrigali <mi...@sbcglobal.net>" not changed
gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <sa...@Sourcery.Org>" not changed
gpg: key 99586C26: "Jean T. Anderson <jt...@bristowhill.com>" not changed
gpg: key B1669287: "Kathey Marsden <km...@apache.org>" not changed
gpg: key 98E21827: "Rick Hillegas <rh...@apache.org>" not changed
gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <da...@apache.org>" not changed
gpg: key 990ED4AA: "Knut Anders Hatlen <ka...@apache.org>" not changed
gpg: key 88D83722: "Andreas Korneliussen <an...@broadpark.no>" not changed
gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <da...@apache.org>" not changed
gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not changed
gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
gpg: Total number processed: 13
gpg: unchanged: 13
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
gpg: BAD signature from "Myrna van Lunteren <m....@gmail.com>"
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ echo $?
1
[tsakai@vixen Derby]$
The first command returned exactly the same response as previous
invocation. (I diff'ed them.) But if the "import" didn't change
anything, then why should the 2nd command return something different
from the previous run? In any event, if someone can help me under-
stand what I am understanding, I would appreciate it.
Regards,
Tena Sakai
tsakai@gallo.ucsf.edu
-----Original Message-----
From: Tena Sakai [mailto:tsakai@gallo.ucsf.edu]
Sent: Tue 5/19/2009 2:43 PM
To: derby-user@db.apache.org
Subject: newbie confused about "verifying release"
Hi,
I am a newbie and just got started with derby. I was doing what this page
http://db.apache.org/derby/releases/release-10.5.1.1.cgi#Verifying+releases
instructed.
The host is a redhat linux.
uname -vro
returns:
2.6.9-78.0.1.ELsmp #1 SMP Tue Jul 22 18:01:05 EDT 2008 GNU/Linux
Here are responses from the two commands:
[tsakai@vixen Derby]$ gpg --import KEYS
gpg: key AB1B7EE4: "Daniel John Debrunner <dj...@debrunners.com>" not changed
gpg: key AB821FBC: "Samuel Andrew McIntyre (Apache Derby Project) <fu...@nonintuitive.com>" not changed
gpg: key 21EA3ECD: "Mike Matrigali <mi...@sbcglobal.net>" not changed
gpg: key 8E8367B1: "Satheesh Bandaram (Apache Derby Project) <sa...@Sourcery.Org>" not changed
gpg: key 99586C26: "Jean T. Anderson <jt...@bristowhill.com>" not changed
gpg: key B1669287: "Kathey Marsden <km...@apache.org>" not changed
gpg: key 98E21827: "Rick Hillegas <rh...@apache.org>" not changed
gpg: key 0C8EBFBE: "David Van Couvering (My Apache Key) <da...@apache.org>" not changed
gpg: key 990ED4AA: "Knut Anders Hatlen <ka...@apache.org>" not changed
gpg: key 88D83722: "Andreas Korneliussen <an...@broadpark.no>" not changed
gpg: key 5355D01C: "Dag H. Wanvik (Derby committer) <da...@apache.org>" not changed
gpg: key 37AA956A: "Myrna van Lunteren <m....@gmail.com>" not changed
gpg: key FFCCF7B1: "Dyre Tjeldvoll <dy...@apache.org>" not changed
gpg: Total number processed: 13
gpg: unchanged: 13
[tsakai@vixen Derby]$
[tsakai@vixen Derby]$ gpg --verify db-derby-10.5.1.1-src.tar.gz.asc
gpg: Signature made Tue 14 Apr 2009 02:27:52 PM PDT using DSA key ID 37AA956A
gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 66C3 0B69 5415 91E3 A777 F84D 0E13 F75A 37AA 956A
[tsakai@vixen Derby]$
What I don't understand is at the bottom:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Can someone please clue me in? Is this good, bad, neutral?
Should I do something (and if so, what)? Should I ignore and move on?
Thank you in advance.
Regards,
Tena Sakai
tsakai@gallo.ucsf.edu
Re: newbie confused about "verifying release"
Posted by Kathey Marsden <km...@sbcglobal.net>.
Tena Sakai wrote:
>
> gpg: Good signature from "Myrna van Lunteren <m....@gmail.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
>
Hi Tena,
I hit this once with an older release and there was a discussion on the
list.
**http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.htm
<http://www.mail-archive.com/derby-dev@db.apache.org/msg62800.html>
**
I am sorry to admit I never followed up to get my situation straightened
out and follow the advice on the thread, but hopefully it will be
helpful to you.
Kathey