[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#29540] [PATCH] gnu: spice: Update to 0.14.0.
From: |
Ricardo Wurmus |
Subject: |
[bug#29540] [PATCH] gnu: spice: Update to 0.14.0. |
Date: |
Sun, 03 Dec 2017 23:45:51 +0100 |
User-agent: |
mu4e 0.9.18; emacs 25.3.1 |
Andy Patterson <address@hidden> writes:
>> $ gpg --verify
>> spice-0.14.0.tar.bz2.sign gpg: assuming signed data in
>> 'spice-0.14.0.tar.bz2' gpg: Signature made Wed 11 Oct 2017 07:33:58
>> AM EDT gpg: using RSA key
>> 94A9F75661F77A6168649B23A9D8C21429AC6C82 gpg: Good signature from
>> "Christophe Fergeau (teuf) <address@hidden>" [unknown]
>> gpg: aka "Christophe Fergeau
>> <address@hidden>" [unknown] gpg: aka "Christophe
>> Fergeau <address@hidden>" [unknown] gpg: aka
>> "Christophe Fergeau <address@hidden>" [unknown] gpg: WARNING:
>> This key is not certified with a trusted signature! gpg:
>> There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214
>> 29AC 6C82 ------
>>
>
> Ooh, thanks.
>
>> We can be reasonably sure that someone with that private key signed
>> the tarball. Now, is it the right key? Hopefully the upstream
>> documentation says which keys are considered "authorized" to sign
>> Spice releases.
>
> I didn't find anything. *shrugs*
Here’s the release announcement:
https://lists.freedesktop.org/archives/spice-announce/2017-October/000061.html
It is a signed message by Christophe Fergeau, but I haven’t been able to
verify the signature. The message could have been mangled by the
mailing list.
According to https://cgit.freedesktop.org/spice/spice/log/NEWS
Christophe Fergeau has handled the previous release as well, and the
same person is listed as the current maintainer. The “v0.14.0” tag is
signed with the same key:
--8<---------------cut here---------------start------------->8---
git verify-tag v0.14.0
gpg: Signature made Wed 11 Oct 2017 10:36:45 AM CEST
gpg: using RSA key A9D8C21429AC6C82
gpg: Good signature from "Christophe Fergeau (teuf) <address@hidden>" [unknown]
gpg: aka "Christophe Fergeau <address@hidden>" [unknown]
gpg: aka "Christophe Fergeau <address@hidden>" [unknown]
gpg: aka "Christophe Fergeau <address@hidden>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 94A9 F756 61F7 7A61 6864 9B23 A9D8 C214 29AC 6C82
--8<---------------cut here---------------end--------------->8---
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net