You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Andrea Pescetti <pe...@apache.org> on 2016/10/08 13:08:35 UTC
Signature verification for 4.1.3-RC1
This is not a blocker for the release (and moreover signature files are
explicitly allowed to be updated during the release vote if needed), but
I couldn't verify signatures in a straightforward way for source packages.
One of the signatures is mine; no problem with that, and that itself is
enough to prove integrity for release approval purposes.
Patricia's one, according to my GPG, is done with a key having a short
ID of 02703386; I couldn't find the public key in the usual places, so I
couldn't verify this one.
Again, this is not a blocker issue since one key is enough, but public
keys used for signing releases are expected to be found at:
http://www.apache.org/dist/openoffice/KEYS
or (secondary resource) at
https://people.apache.org/keys/committer/
The former contains my key and another key by Patricia (short ID
A57935C5); the latter contains the same key by Patricia - it doesn't
contain mine since I never bothered uploading it again to enforce the
long IDs and I now see that someone decided to remove the keys that only
had a short ID, I'll fix it later today.
Where can I find the matching public key by Patricia? It should be added
in SVN to
https://dist.apache.org/repos/dist/release/openoffice/KEYS
which (I believe) maps to the first URL I listed. There is surely a way
to do it without a full checkout, but I didn't check details.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Andrea Pescetti <pe...@apache.org>.
On 08/10/2016 Andrea Pescetti wrote:
> (secondary resource) at https://people.apache.org/keys/committer/
> ... doesn't contain mine since I never bothered uploading it again
My key is now listed on the secondary resource too, just for extra
visibility. If others want to do the same, they must simply login at
id.apache.org and specify the full fingerprint there. The web page is
updated once a day.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Jim Jagielski <ji...@jaguNET.com>.
We should ensure that AOO people join the keysignings @ ApacheCon
> On Oct 8, 2016, at 9:08 AM, Andrea Pescetti <pe...@apache.org> wrote:
>
> This is not a blocker for the release (and moreover signature files are explicitly allowed to be updated during the release vote if needed), but I couldn't verify signatures in a straightforward way for source packages.
>
> One of the signatures is mine; no problem with that, and that itself is enough to prove integrity for release approval purposes.
>
> Patricia's one, according to my GPG, is done with a key having a short ID of 02703386; I couldn't find the public key in the usual places, so I couldn't verify this one.
>
> Again, this is not a blocker issue since one key is enough, but public keys used for signing releases are expected to be found at:
> http://www.apache.org/dist/openoffice/KEYS
> or (secondary resource) at
> https://people.apache.org/keys/committer/
>
> The former contains my key and another key by Patricia (short ID A57935C5); the latter contains the same key by Patricia - it doesn't contain mine since I never bothered uploading it again to enforce the long IDs and I now see that someone decided to remove the keys that only had a short ID, I'll fix it later today.
>
> Where can I find the matching public key by Patricia? It should be added in SVN to
> https://dist.apache.org/repos/dist/release/openoffice/KEYS
> which (I believe) maps to the first URL I listed. There is surely a way to do it without a full checkout, but I didn't check details.
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Andrea Pescetti <pe...@apache.org>.
Patricia Shanahan wrote:
> Please test again. I have tried to fix both MIT and the KEYS file.
Thanks, it works now after importing the new KEYS file:
$ gpg --verify apache-openoffice-4.1.3-r1761381-src.tar.gz.asc
apache-openoffice-4.1.3-r1761381-src.tar.gz
gpg: Signature made Sat Oct 1 22:16:14 2016 CEST using RSA key ID 8F0E4C63
gpg: Good signature from "Andrea Pescetti (Release Signing Key)
<pe...@apache.org>"
gpg: Signature made Wed Oct 5 05:06:21 2016 CEST using RSA key ID 02703386
gpg: Good signature from "Patricia Shanahan <pa...@acm.org>"
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Patricia Shanahan <pa...@acm.org>.
On 10/8/2016 7:18 AM, Patricia Shanahan wrote:
> On 10/8/2016 6:46 AM, Andrea Pescetti wrote:
>> Patricia Shanahan wrote:
>>> I had to make a change in the key preferences to meet the release
>>> signing requirements. I uploaded to a couple of servers, including MIT,
>>> and waited a few days.
>>
>> I can find mine here (note: you have to add "0x" for the search to
>> succeed):
>> http://pgp.mit.edu/pks/lookup?search=0x8F0E4C63&op=vindex&fingerprint=on
>> But the same search for yours (the "new" one) fails:
>> http://pgp.mit.edu/pks/lookup?search=0x02703386&op=vindex&fingerprint=on
>>
>> Is my GPG wrong in detecting a signature (from you) with Key ID 02703386?
>
> The Key ID is correct. When I verify e.g.
> apache-openoffice-4.1.3-r1761381-src.tar.bz2.asc, I get the following
> output:
>
> gpg: WARNING: using insecure memory!
> gpg: please see http://www.gnupg.org/documentation/faqs.html for more
> information
> gpg: assuming signed data in `apache-openoffice-4.1.3-r1761381-src.tar.bz2'
> gpg: Signature made Sat, Oct 1, 2016 1:16:07 PM PDT using RSA key ID
> 8F0E4C63
> gpg: Good signature from "Andrea Pescetti (Release Signing Key)
> <pe...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 6D09 7A5C A3A8 C1E5 314D 9E67 013D A51F 8F0E 4C63
> gpg: Signature made Tue, Oct 4, 2016 8:03:35 PM PDT using RSA key ID
> 02703386
> gpg: Good signature from "Patricia Shanahan <pa...@acm.org>"
>
> It looks as though the problem is with publishing the public key - my
> gpg knows about it from my local files. I'll look into it. Thanks for
> the information.
Please test again. I have tried to fix both MIT and the KEYS file.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Patricia Shanahan <pa...@acm.org>.
On 10/8/2016 6:46 AM, Andrea Pescetti wrote:
> Patricia Shanahan wrote:
>> I had to make a change in the key preferences to meet the release
>> signing requirements. I uploaded to a couple of servers, including MIT,
>> and waited a few days.
>
> I can find mine here (note: you have to add "0x" for the search to
> succeed):
> http://pgp.mit.edu/pks/lookup?search=0x8F0E4C63&op=vindex&fingerprint=on
> But the same search for yours (the "new" one) fails:
> http://pgp.mit.edu/pks/lookup?search=0x02703386&op=vindex&fingerprint=on
>
> Is my GPG wrong in detecting a signature (from you) with Key ID 02703386?
The Key ID is correct. When I verify e.g.
apache-openoffice-4.1.3-r1761381-src.tar.bz2.asc, I get the following
output:
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/documentation/faqs.html for more
information
gpg: assuming signed data in `apache-openoffice-4.1.3-r1761381-src.tar.bz2'
gpg: Signature made Sat, Oct 1, 2016 1:16:07 PM PDT using RSA key ID
8F0E4C63
gpg: Good signature from "Andrea Pescetti (Release Signing Key)
<pe...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 6D09 7A5C A3A8 C1E5 314D 9E67 013D A51F 8F0E 4C63
gpg: Signature made Tue, Oct 4, 2016 8:03:35 PM PDT using RSA key ID
02703386
gpg: Good signature from "Patricia Shanahan <pa...@acm.org>"
It looks as though the problem is with publishing the public key - my
gpg knows about it from my local files. I'll look into it. Thanks for
the information.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Andrea Pescetti <pe...@apache.org>.
Patricia Shanahan wrote:
> I had to make a change in the key preferences to meet the release
> signing requirements. I uploaded to a couple of servers, including MIT,
> and waited a few days.
I can find mine here (note: you have to add "0x" for the search to succeed):
http://pgp.mit.edu/pks/lookup?search=0x8F0E4C63&op=vindex&fingerprint=on
But the same search for yours (the "new" one) fails:
http://pgp.mit.edu/pks/lookup?search=0x02703386&op=vindex&fingerprint=on
Is my GPG wrong in detecting a signature (from you) with Key ID 02703386?
Here are the full details in case this helps (my GPG is configured to
use the "long" fingerprint format, but I set it back to the default for
this test):
$ gpg --verify apache-openoffice-4.1.3-r1761381-src.tar.bz2.asc
apache-openoffice-4.1.3-r1761381-src.tar.bz2
gpg: Signature made Sat Oct 1 22:16:07 2016 CEST using RSA key ID 8F0E4C63
gpg: Good signature from "Andrea Pescetti (Release Signing Key)
<pe...@apache.org>"
gpg: Signature made Wed Oct 5 05:03:35 2016 CEST using RSA key ID 02703386
gpg: Can't check signature: public key not found
$ gpg --keyserver pgpkeys.mit.edu --recv-key 0x8F0E4C63
(this is mine; it is retrieved, unchanged)
$ gpg --keyserver pgpkeys.mit.edu --recv-key 0xA57935C5
(this is your "old" one; works)
$ gpg --keyserver pgpkeys.mit.edu --recv-key 0x02703386
(this is your "new" one; I receive "key not found")
> I didn't think we were supposed to update KEYS directly?
Yes. The KEYS file is described here:
https://www.apache.org/dev/release-signing.html#keys-policy
and as far as I know update is supposed to be manual.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Signature verification for 4.1.3-RC1
Posted by Patricia Shanahan <pa...@acm.org>.
I had to make a change in the key preferences to meet the release
signing requirements. I uploaded to a couple of servers, including MIT,
and waited a few days.
I didn't think we were supposed to update KEYS directly?
On 10/8/2016 6:08 AM, Andrea Pescetti wrote:
> This is not a blocker for the release (and moreover signature files are
> explicitly allowed to be updated during the release vote if needed), but
> I couldn't verify signatures in a straightforward way for source packages.
>
> One of the signatures is mine; no problem with that, and that itself is
> enough to prove integrity for release approval purposes.
>
> Patricia's one, according to my GPG, is done with a key having a short
> ID of 02703386; I couldn't find the public key in the usual places, so I
> couldn't verify this one.
>
> Again, this is not a blocker issue since one key is enough, but public
> keys used for signing releases are expected to be found at:
> http://www.apache.org/dist/openoffice/KEYS
> or (secondary resource) at
> https://people.apache.org/keys/committer/
>
> The former contains my key and another key by Patricia (short ID
> A57935C5); the latter contains the same key by Patricia - it doesn't
> contain mine since I never bothered uploading it again to enforce the
> long IDs and I now see that someone decided to remove the keys that only
> had a short ID, I'll fix it later today.
>
> Where can I find the matching public key by Patricia? It should be added
> in SVN to
> https://dist.apache.org/repos/dist/release/openoffice/KEYS
> which (I believe) maps to the first URL I listed. There is surely a way
> to do it without a full checkout, but I didn't check details.
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org