signature on rc tarball
mbp at canonical.com
Mon Sep 25 08:37:12 BST 2006
On 25 Sep 2006, Robert Collins <robertc at robertcollins.net> wrote:
> On Mon, 2006-09-25 at 14:34 +1000, Martin Pool wrote:
> > Thanks for making the release!
> > When I verify the signature I get
> > % gpg --verify bzr-0.11rc1.tar.gz.sig
> > gpg: Signature made Mon Sep 25 10:18:32 2006 EST using DSA key ID 4298C761
> > gpg: WARNING: signing subkey 4298C761 is not cross-certified
> > gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> > gpg: please do a --check-trustdb
> > So Robert should probably follow the instructions on that page.
> This just means that you have a gnupg 1.4.3 rather than 18.104.22.168 which I
Well, in a trivial sense yes, only >=1.4.3 shows this warning. But I do
think it's good not to have warnings appear on software signatures
(although the particular attack probably doesn't matter here), and that
means fixing your key. I guess you may not be able to fix easily
until (I suppose) you switch to edgy and get a new gpg.
Perhaps we should be signing with a role key rather than the RM's
More information about the bazaar