You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Theseus Leandros <rd...@gmail.com> on 2023/02/07 00:49:37 UTC

Public key certification on downloads

Hello there,

The documentation provides digital signatures to verify the integrity of
downloads, e.g: https://activemq.apache.org/components/classic/download/. I
am wondering if you provide any way to establish that the public key
fingerprint of the signer does in fact belong to the person under that
identity.
Running gpg --verify on the example:
"gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner."

I found people.apache.org, which has public keys uploaded for some level of
confidence, but on that link for apache-activemq-5.17.3-bin.tar.gz, the
signer's (jbonofre) public key is not on people.apache.org.

Thanks!