signature on rc tarball

Robert Collins robertc at robertcollins.net
Mon Sep 25 08:44:27 BST 2006


On Mon, 2006-09-25 at 17:37 +1000, Martin Pool wrote:
> On 25 Sep 2006, Robert Collins <robertc at robertcollins.net> wrote:
> > On Mon, 2006-09-25 at 14:34 +1000, Martin Pool wrote:
> > > Thanks for making the release!
> > > 
> > > When I verify the signature I get
> > > 
> > > % gpg --verify bzr-0.11rc1.tar.gz.sig
> > > gpg: Signature made Mon Sep 25 10:18:32 2006 EST using DSA key ID 4298C761
> > > gpg: WARNING: signing subkey 4298C761 is not cross-certified
> > > gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information
> > > gpg: please do a --check-trustdb
> > > 
> > > So Robert should probably follow the instructions on that page.
> > 
> > This just means that you have a gnupg 1.4.3 rather than 1.4.2.2 which I
> > have.
> 
> Well, in a trivial sense yes, only >=1.4.3 shows this warning.  But I do
> think it's good not to have warnings appear on software signatures
> (although the particular attack probably doesn't matter here), and that
> means fixing your key.   I guess you may not be able to fix easily
> until (I suppose) you switch to edgy and get a new gpg.
> 
> Perhaps we should be signing with a role key rather than the RM's
> personal key?

Yes, its not fixable without the newer gpg. I guess as its a vector for
attacks that dapper should probably get an updated gpg.

I think signing with the RM key is entirely appropriate for releases:
unlike a deb repository, each release needs to be verified anyway, and
it is a statement by the RM that the release is 'good'.

-Rob

-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060925/d73bae91/attachment.pgp 


More information about the bazaar mailing list