You are viewing a plain text version of this content. The canonical link for it is here.
Posted to p-dev@xerces.apache.org by "Jason E. Stewart" <ja...@openinformatics.com> on 2001/07/17 18:12:21 UTC
Re: Problem with XML-Xerces-1.5.3 and GuPG key verification
Hey Krzysztof,
Thanks for actually going through the verification steps. Everything
is working fine (see below). Thanks for finding the documentation
error.
"Krzysztof Kocjan" <kk...@poczta.fm> writes:
> Step 2. seems to be processed well, except the fact that I changed the
> positions of the source and asc file
> When I didn't change the positions of source file and asc file then I
> received message
> gpg: no valid OpenPGP data found.
> gpg: the signature could not be verified.
> Please remember that the signature file (.sig or .asc)
> should be the first file given on the command line.
Oh... I must have mixed them up. I'll change the documentation.
> so I did it and received the message:
> gpg: Signature made Tue 10 Jul 2001 07:39:46 PM CEST using DSA key ID
> C803ECEE
> gpg: Good signature from "Jason E. Stewart <ja...@openinformatics.com>"
> gpg: aka "Jason E. Stewart <ja...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> gpg: Fingerprint: 1B67 CCCA ABFC 4F62 A6B6 6F9F 1F01 06FC C803 ECEE
>
> What is it wrong. I can't understand what I have to do to be sure that
> the source code is valid and authorized. Thank You for Your help.
Nothing is wrong, you recieved the 'Good Signature'. The issue is
*you* have not indicated that my key is trusted, which is good. You
don't know me, and you don't know the key you downloaded from the
keyserver is really my key, so why would you trust it? My key is
signed by another debian developer, Barak Pearlmutter, but you don't
know him either, so he is not trusted. Trust is something that you
must supply to a key.
For those that care, the only way to ensure the key is really from me
is to meet me face-to-face and have me verify my key fingerprint, or
if you knew me, you could call me on the phone.
jas.
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-p-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-p-dev-help@xml.apache.org