signature on rc tarball

Martin Pool mbp at canonical.com
Mon Sep 25 08:37:12 BST 2006


On 25 Sep 2006, Robert Collins <robertc at robertcollins.net> wrote:
> On Mon, 2006-09-25 at 14:34 +1000, Martin Pool wrote:
> > Thanks for making the release!
> > 
> > When I verify the signature I get
> > 
> > % gpg --verify bzr-0.11rc1.tar.gz.sig
> > gpg: Signature made Mon Sep 25 10:18:32 2006 EST using DSA key ID 4298C761
> > gpg: WARNING: signing subkey 4298C761 is not cross-certified
> > gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> > gpg: please do a --check-trustdb
> > 
> > So Robert should probably follow the instructions on that page.
> 
> This just means that you have a gnupg 1.4.3 rather than 1.4.2.2 which I
> have.

Well, in a trivial sense yes, only >=1.4.3 shows this warning.  But I do
think it's good not to have warnings appear on software signatures
(although the particular attack probably doesn't matter here), and that
means fixing your key.   I guess you may not be able to fix easily
until (I suppose) you switch to edgy and get a new gpg.

Perhaps we should be signing with a role key rather than the RM's
personal key?

-- 
Martin




More information about the bazaar mailing list