You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by Allen Tabbert <at...@goldengate.net> on 2013/08/24 02:38:00 UTC
KEYS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I wanted to verify the
Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
against my download. I downloaded the KEYS using: wget
http://www.apache.org/dist/openoffice/KEYS
Then I imported the keys.
But when I ran gpg --verify it said:
$ gpg --verify
Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA key ID
B8E50356
gpg: Can't check signature: No public key
The Key ID B8E50356 is not in the set I downloaded from your KEYS
file. Why is it not in there??
Allen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k
GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD
SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY
Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL
t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu
rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI=
=0QtH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: KEYS
Posted by sebb <se...@gmail.com>.
On 30 August 2013 14:48, Rob Weir <ro...@apache.org> wrote:
> Moving conversation over to the dev list...
>
> On Sun, Aug 25, 2013 at 8:18 PM, Ariel Constenla-Haile
> <ar...@apache.org> wrote:
>> On Sun, Aug 25, 2013 at 05:31:35PM -0400, Rob Weir wrote:
>>> > I wanted to verify the
>>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
>>> > against my download. I downloaded the KEYS using: wget
>>> > http://www.apache.org/dist/openoffice/KEYS Then I imported the keys.
>>> >
>>> > But when I ran gpg --verify it said:
>>> >
>>> > $ gpg --verify
>>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
>>> > gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA
>>> > key ID B8E50356 gpg: Can't check signature: No public key
>>> >
>>> > The Key ID B8E50356 is not in the set I downloaded from your KEYS
>>> > file. Why is it not in there??
>>> >
>>>
>>> Hi Ariel, is B8E50356 your key?
>>
>> Yes, it is a bug that my key is not in
>> http://www.apache.org/dist/openoffice/KEYS
>>
>> This file should be a copy of
That's debatable, see below.
>> https://people.apache.org/keys/group/openoffice.asc or
>> https://people.apache.org/keys/group/openoffice-pmc.asc (in case only
>> PMC members are supposed to sign artifacts).
>>
>
> Does anyone know: can we (may we?) do this now? Or is this something
> to fix in 4.0.1 release?
The KEY used to sign an artifact MUST be in the KEYS file that is
linked from the download page(s).
This is something that should be checked as part of a release vote.
The files under https://people.apache.org/keys/group/ are
automatically generated from LDAP.
As such they only contain keys from current entries.
However KEYS files may still be needed to validate archive releases
where the key is not in LDAP (or the key is in LDAP but the owner is
no longer in the relevant TLP or PMC group).
For the above reasons, at present I don't think it makes sense to
blindly copy the file.
The file http://www.apache.org/dist/openoffice/KEYS has historically
been manually maintained.
New keys are added to the file as required.
Old keys are never deleted, as they may have been used for signing
archive releases.
[I guess there might be a case for deleting a compromised key]
So I suggest you just add the missing key(s) - with header info please
- to the dist/oo/KEYS file.
> -Rob
>
>
>>
>> @OP: please import the keys from
>> https://people.apache.org/keys/group/openoffice-pmc.asc
>>
>>> > Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14
>>> > (GNU/Linux)
>>> >
>>> > iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k
>>> > GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD
>>> > SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY
>>> > Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL
>>> > t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu
>>> > rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI=
>>> > =0QtH -----END PGP SIGNATURE-----
>>
>> I suggest you configure Enigmail in Thunderbird to sign using PGP/MIME
>> instead of the old-fashioned inline-PGP, in Thunderbird's Account
>> Settings go to OpenPGP Options and enable "Use PGP/MIME by default", as
>> explained here http://www.rainydayz.org/content/81-account-settings
>>
>>
>> Regards
>> --
>> Ariel Constenla-Haile
>> La Plata, Argentina
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: KEYS
Posted by Rob Weir <ro...@apache.org>.
Moving conversation over to the dev list...
On Sun, Aug 25, 2013 at 8:18 PM, Ariel Constenla-Haile
<ar...@apache.org> wrote:
> On Sun, Aug 25, 2013 at 05:31:35PM -0400, Rob Weir wrote:
>> > I wanted to verify the
>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
>> > against my download. I downloaded the KEYS using: wget
>> > http://www.apache.org/dist/openoffice/KEYS Then I imported the keys.
>> >
>> > But when I ran gpg --verify it said:
>> >
>> > $ gpg --verify
>> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
>> > gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA
>> > key ID B8E50356 gpg: Can't check signature: No public key
>> >
>> > The Key ID B8E50356 is not in the set I downloaded from your KEYS
>> > file. Why is it not in there??
>> >
>>
>> Hi Ariel, is B8E50356 your key?
>
> Yes, it is a bug that my key is not in
> http://www.apache.org/dist/openoffice/KEYS
>
> This file should be a copy of
> https://people.apache.org/keys/group/openoffice.asc or
> https://people.apache.org/keys/group/openoffice-pmc.asc (in case only
> PMC members are supposed to sign artifacts).
>
Does anyone know: can we (may we?) do this now? Or is this something
to fix in 4.0.1 release?
-Rob
>
> @OP: please import the keys from
> https://people.apache.org/keys/group/openoffice-pmc.asc
>
>> > Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14
>> > (GNU/Linux)
>> >
>> > iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k
>> > GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD
>> > SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY
>> > Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL
>> > t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu
>> > rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI=
>> > =0QtH -----END PGP SIGNATURE-----
>
> I suggest you configure Enigmail in Thunderbird to sign using PGP/MIME
> instead of the old-fashioned inline-PGP, in Thunderbird's Account
> Settings go to OpenPGP Options and enable "Use PGP/MIME by default", as
> explained here http://www.rainydayz.org/content/81-account-settings
>
>
> Regards
> --
> Ariel Constenla-Haile
> La Plata, Argentina
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: KEYS
Posted by Ariel Constenla-Haile <ar...@apache.org>.
On Sun, Aug 25, 2013 at 05:31:35PM -0400, Rob Weir wrote:
> > I wanted to verify the
> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> > against my download. I downloaded the KEYS using: wget
> > http://www.apache.org/dist/openoffice/KEYS Then I imported the keys.
> >
> > But when I ran gpg --verify it said:
> >
> > $ gpg --verify
> > Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> > gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA
> > key ID B8E50356 gpg: Can't check signature: No public key
> >
> > The Key ID B8E50356 is not in the set I downloaded from your KEYS
> > file. Why is it not in there??
> >
>
> Hi Ariel, is B8E50356 your key?
Yes, it is a bug that my key is not in
http://www.apache.org/dist/openoffice/KEYS
This file should be a copy of
https://people.apache.org/keys/group/openoffice.asc or
https://people.apache.org/keys/group/openoffice-pmc.asc (in case only
PMC members are supposed to sign artifacts).
@OP: please import the keys from
https://people.apache.org/keys/group/openoffice-pmc.asc
> > Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14
> > (GNU/Linux)
> >
> > iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k
> > GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD
> > SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY
> > Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL
> > t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu
> > rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI=
> > =0QtH -----END PGP SIGNATURE-----
I suggest you configure Enigmail in Thunderbird to sign using PGP/MIME
instead of the old-fashioned inline-PGP, in Thunderbird's Account
Settings go to OpenPGP Options and enable "Use PGP/MIME by default", as
explained here http://www.rainydayz.org/content/81-account-settings
Regards
--
Ariel Constenla-Haile
La Plata, Argentina
Re: KEYS
Posted by Rob Weir <ro...@apache.org>.
On Fri, Aug 23, 2013 at 8:38 PM, Allen Tabbert <at...@goldengate.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I wanted to verify the
> Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> against my download. I downloaded the KEYS using: wget
> http://www.apache.org/dist/openoffice/KEYS
> Then I imported the keys.
>
> But when I ran gpg --verify it said:
>
> $ gpg --verify
> Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA key ID
> B8E50356
> gpg: Can't check signature: No public key
>
> The Key ID B8E50356 is not in the set I downloaded from your KEYS
> file. Why is it not in there??
>
Hi Ariel, is B8E50356 your key?
-Rob
> Allen
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iQEcBAEBAgAGBQJSGABoAAoJEK3AFbtYOknnVI0IALxbJlIW58Ll3R8aryWQXX4k
> GJ1+Gh5cWFDYvFq9Cetz86vnxDuCaiVMxEOwnRc+PtBQHWHpzRuSKTG16fOs/5JD
> SGykhVkgdkRodpiuQKE8n/kV8+/aEaa+9WpxVdn+eqhTsi3nc570JQbOaw0sCOrY
> Nrdwm5Urm7w6wcP240g5UD4pjfXqAieEEe/0FdJQepikt7VFlRjsvRYVekSDHkUL
> t5XgL3LQAaTt47vMM9EyPMxK2RfIG2dXUQ54phtgFs9CUt2yqVF4s8mA2Ha+moPu
> rc2mS4vrKeswCO6ywyfDtaQnbaZrLxPG0y9Ql0hcUv5CEHE0eRxnJgkkTYzVUaI=
> =0QtH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: users-help@openoffice.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: KEYS
Posted by Peter Hillier-Brook <ph...@hbsys.plus.com>.
On 24/08/13 01:38, Allen Tabbert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I wanted to verify the
> Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> against my download. I downloaded the KEYS using: wget
> http://www.apache.org/dist/openoffice/KEYS
> Then I imported the keys.
>
> But when I ran gpg --verify it said:
>
> $ gpg --verify
> Apache_OpenOffice_4.0.0_Linux_x86-64_install-rpm_en-US.tar.gz.asc
> gpg: Signature made Tue 16 Jul 2013 05:39:05 PM CDT using RSA key ID
> B8E50356
> gpg: Can't check signature: No public key
>
> The Key ID B8E50356 is not in the set I downloaded from your KEYS
> file. Why is it not in there??
>
> Allen
Seconded. I encountered a similar problem with the Debian based build.
Peter HB
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org