[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing key for 0.10.0
From: |
Benson Muite |
Subject: |
Re: Signing key for 0.10.0 |
Date: |
Wed, 28 Jun 2023 15:31:01 +0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 |
On 6/28/23 12:22, Arun Isaac wrote:
>
> Hi,
>
> Thanks for reporting this! The new signing key is mine. I joined the
> skribilo team recently as a maintainer, and made the latest release. So,
> I signed it with my key. But, I see this is probably not the best
> idea. It would cause quite a lot of confusion everytime we have new
> maintainers on the team.
>
> @Ludo: How should we best handle release signatures? Should we resign
> the latest release with your key?
>
> Regards,
> Arun
Hi Arun,
Thanks for maintaining Skribilo. Locally on my machine, get
$ gpg2 --verify skribilo-0.10.0.tar.gz.sig
gpg: assuming signed data in 'skribilo-0.10.0.tar.gz'
gpg: Signature made Wed 08 Mar 2023 04:11:11 AM EAT
gpg: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3
gpg: Good signature from "Arun I <arunisaac@systemreboot.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 7F73 0343 F2F0 9F3C 77BF 79D3 2E25 EE8B 6180 2BB3
$ gpg2 --verify skribilo-0.9.5.tar.gz.sig
gpg: assuming signed data in 'skribilo-0.9.5.tar.gz'
gpg: Signature made Sun 01 Nov 2020 08:31:29 PM EAT
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
gpg: Good signature from "Ludovic Courtès <ludo@gnu.org>" [unknown]
gpg: aka "Ludovic Courtès <ludo@chbouib.org>" [unknown]
gpg: aka "Ludovic Courtès (Inria)
<ludovic.courtes@inria.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
So it seems signed. However following:
https://ftp.gnu.org/README
$ gpgv --keyring ./gnu-keyring.gpg skribilo-0.10.0.tar.gz.sig
skribilo-0.10.0.tar.gz
gpgv: Signature made Wed 08 Mar 2023 04:11:11 AM EAT
gpgv: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3
gpgv: Can't check signature: No public key
$ gpgv --keyring ./gnu-keyring.gpg skribilo-0.9.5.tar.gz.sig
skribilo-0.9.5.tar.gz
gpgv: Signature made Sun 01 Nov 2020 08:31:29 PM EAT
gpgv: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
gpgv: Good signature from "Ludovic Courtès <ludo@gnu.org>"
gpgv: aka "Ludovic Courtès <ludo@chbouib.org>"
gpgv: aka "Ludovic Courtès (Inria)
<ludovic.courtes@inria.fr>"
So it seems you need to have your key added to those in GNUs keyring.
Not sure what the process for this is, but hopefully it can be done.
Regards,
Benson