You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ant.apache.org by Adam Hardy <ad...@cyberspaceroad.com> on 2004/02/11 17:56:53 UTC
pgp signature
This is basically a newbie question about verify the downloads from
Apache. I just checked the archives for 'ultimately trusted' and 'verify
signature' but didn't find anything.
I just did this for the first time (I'm the proud new owner of a
webserver so I've stepped my security awareness up a bit).
I got the following output:
[adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID
265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
<an...@apache.org>"
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer)
<an...@antbuild.com>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB 265B 4C63
Does this mean that it failed? I got it from the German mirror. Or is
the trustdb something I should update on my system? Obviously I
recognise Antoine's name :)
I am also not sure about this mechanism - does gpg know to check the
downloaded file because it has the same name as the *.asc file?
Adam
--
ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org
Re: pgp signature
Posted by Stefan Bodewig <bo...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 11 Feb 2004, Adam Hardy <ad...@cyberspaceroad.com> wrote:
> Does this mean that it failed?
No, it means that your PGP installation has no reason to believe that
the PGP key used to sign the distribution really belongs to Antoine.
> I got it from the German mirror.
You should always pick up the signatures from www.apache.org and the
key from either www.apache.org or one of the PGP keyservers. There is
always the risk that a mirror has been compromised - this risk may be
smaller for www.apache.org.
PGP has told you that the signature has been fine and that the key
that has been used is the one that you've downloaded.
In order to make the warning go away, you have to tell PGP that you
trust the key.
This is the difficult part. Do you know it has been Antoine's key?
You could try to check with him directly, using any mechanism that is
good enough for you to trust his key. Send him an encrypted message
(encrypted with his key) and let him respond to it. If he does you
can be reasonably sure that whoever sits behind the email address has
access to the key. Is this enough for you to trust the key? You
decide.
I know it has been as I've validated it out-of-band with Antoine -
this is why I signed his key and your PGP installation will tell you
that I did. So if you trust my key and my signature, you'd also trust
Antoine's key.
Taking this a step further, you may not trust me but Dirk Willem van
Gulik, president of the ASF. We've met about a year ago and he signed
my key. Or you can take Lars Eilebrecht's signature on my key who
even required me to show him my passport before he signed my key.
Or you may trust Ben Laurie or Ken Coar who have signed Dirk's and
Lars' keys who have signed mine and I've signed Antoine's.
8-)
This is the critical piece in PGP, you need to find a path of trust
which is difficult to establish in the absence of real live meetings.
So all PGP is telling you is
(1) the signature is fine
(2) you can't be sure that the real Antoine is the person behind the
key because you don't know for sure.
If (1) is enough for you, all things are OK. If you pick the
signature from www.apache.org you can be sure that the version of Ant
you've picked up is the same that you'd get from www.apache.org.
If you also want (2) in order to trust the release, some more work has
to be done by you. Find a trust relationship between your PGP
installation and Antoine's key.
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFAKzRTohFa4V9ri3IRAgegAKDF84oH74oU/oZTNT97N57u2RzktgCgmtDv
PRbQXZ09+biZdlcwtCDcmJ0=
=y8bg
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org