You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Cralle, Chris" <Ch...@rsa.com> on 2015/05/20 22:22:21 UTC

RPM Signatures for apacheds

Hello Apache Dev,

I am attempting to validate the apacheds rpms using the RPM Signature.  But so far, I have been unable locate a single matching public GPG key that was used sign any of your linux rpms?

Where/How do you build your rpms, and what key is being used to sign them.

So far I have checked M20, M18, M17, they all have differnent rpm signatures. And none of them are in the master KEYS file. Nor could I find them on the pgp mit server.



Thanks,
Chris Crallé
EMC RSA 10700 Parkridge Blvd., 3rd Floor | Reston, VA 20191

Re: RPM Signatures for apacheds

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 20/05/15 22:22, Cralle, Chris a écrit :
> Hello Apache Dev,

Hi,
>
> I am attempting to validate the apacheds rpms using the RPM Signature.  But so far, I have been unable locate a single matching public GPG key that was used sign any of your linux rpms?
>
> Where/How do you build your rpms, and what key is being used to sign them.

We use an old version of Tanuki wrapper, with a maven plugin we have
written, to create the packages. I'm not sure we sign the resulting
package using PGP though : when I run rpm -K on the rpm, here is what I
get :

rpm -K  ~/Downloads/apacheds-2.0.0-M20-x86_64.rpm
/Users/elecharny/Downloads/apacheds-2.0.0-M20-x86_64.rpm: (sha1) dsa
sha1 md5 OK


OTOH, you can check the package against the md5/asc checksum which is
available on
http://directory.apache.org/apacheds/download/download-linux-rpm.html
>
> So far I have checked M20, M18, M17, they all have differnent rpm signatures. And none of them are in the master KEYS file. Nor could I find them on the pgp mit server.

All those versions were signed by me, using this :

https://pgp.mit.edu/pks/lookup?op=vindex&search=0x31474E5E7C6B7034

Not sure if this is what you are looking for...

Re: RPM Signatures for apacheds

Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.

Hi Chris,

AFAICT we don't sign the RPM (nor deb) package using rpmsign (nor
debsign). Instead there is an .asc file that contains the signature. [1]
describes the process in general for the ASF. [2] contains the .asc
files and describes the verification procedure.

Kind Regards,
Stefan


[1] https://www.apache.org/dev/release-signing.html#basic-facts
[2] https://directory.apache.org/apacheds/download/download-linux-rpm.html


On 05/20/2015 10:22 PM, Cralle, Chris wrote:
> Hello Apache Dev,
> 
> I am attempting to validate the apacheds rpms using the RPM Signature.  But so far, I have been unable locate a single matching public GPG key that was used sign any of your linux rpms?
> 
> Where/How do you build your rpms, and what key is being used to sign them.
> 
> So far I have checked M20, M18, M17, they all have differnent rpm signatures. And none of them are in the master KEYS file. Nor could I find them on the pgp mit server.
> 
> 
> 
> Thanks,
> Chris Crallé
> EMC RSA 10700 Parkridge Blvd., 3rd Floor | Reston, VA 20191
> 
> 
>