You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@stratos.apache.org by Isuru Perera <is...@wso2.com> on 2014/04/18 19:19:46 UTC

Stratos 4.0.0-incubating-rc1 release signing

Hi Devs,

Now we are almost ready for the release. As part of the release process, we
need to sign files [1].

I created a key following few guides [1][2].

My key ID is 2D09CC5E [3]. My key was signed and trusted by few other users.

When verifying [4] the release [5] from another user, we noticed following
warning.

gpg: Signature made Fri 18 Apr 2014 06:35:19 PM IST using RSA key ID
2D09CC5E
gpg: Good signature from "M. Isuru Tharanga Chrishantha Perera (CODE
SIGNING KEY) <is...@apache.org>"

*gpg: WARNING: This key is not certified with a trusted signature! gpg:
     There is no indication that the signature belongs to the owner.*
Primary key fingerprint: 9C4E CBA6 920C 175D C498  15AC 0508 949F 2D09 CC5E

The main concern is how to avoid above warning. This concern was raised
when releasing the previous version as well. See "PPMC diligence is needed
in Voting" on dev@ [6].

I really appreciate your ideas, especially from the mentors.

Please note that the dist location at [5] does not contain the final source
release.

Thanks!

Best Regards,

[1] http://www.apache.org/dev/release-signing.html
[2] http://www.apache.org/dev/openpgp.html
[3] http://pgp.mit.edu/pks/lookup?op=vindex&search=0x0508949F2D09CC5E
[4]
https://cwiki.apache.org/confluence/display/STRATOS/4.0.0+Testing+Procedure
[5]
https://dist.apache.org/repos/dist/dev/incubator/stratos/releases/4.0.0-incubating-rc1/
[6]
http://mail-archives.apache.org/mod_mbox/stratos-dev/201310.mbox/%3CD961E9C5-E28D-4B68-822F-4C2DB9936592@apache.org%3E

-- 
Isuru Perera
Senior Software Engineer | WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware

about.me/chrishantha