On Mon, 5 Nov 2018, Justin Mclean wrote:
> Date: Mon, 5 Nov 2018 11:15:41 +0100
> From: Justin Mclean <justin@classsoftware.com>
> To: general@incubator.apache.org
> Subject: Re: [VOTE] Release of Apache Crail-1.1-incubating [rc3]
>> It is signed with an Apache email address:
>>
>> $ gpg --verify apache-crail-1.1-incubating-src.tar.gz.asc
>> gpg: assuming signed data in `apache-crail-1.1-incubating-src.tar.gz'
>> gpg: Signature made Fri 26 Oct 2018 12:50:58 PM CEST using RSA key ID AA557B11
>> gpg: Good signature from "Jonas Pfefferle <pepperjo@apache.org>”
>
> Odd I get:
> gpg: assuming signed data in 'apache-crail-1.1-incubating-bin.tar.gz'
> gpg: Signature made Fri 26 Oct 21:50:58 2018 AEDT
> gpg: using RSA key 9C196C5FAA557B11
> gpg: Good signature from "Jonas Pfefferle <jpf@zurich.ibm.com>" [unknown]
>
> But it’s not a big issue or one that stops you making a release.
On 2018-08-21 Pfefferle added uid "pepperjo@apache.org"
and revoked (the selfsig on) uid "jpf@zurich.ibm.com".
Maybe you didn't refresh the signing key before using "gpg --verify".
gpg -v --refresh 0x9C196C5FAA557B11
Hint: always use the two-argument --verify
gpg --verify OBJ.asc OBJ
If OBJ.asc is erroneously created with --sign [-s] instead of
--detach-sign [-b], then the two-argument --verify gives an error.
> Justin
Groeten,
HPP
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl \_/
|