When people verify the digital signatures on Apache Daffodil jars, we want to avoid them getting the dreaded messages like:

 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

This scary looking warning can be eliminated if the signing keys for our releases are part of the web-of-trust.

Despite "key signing parties", I believe one should only ask for your keys to be signed by people you know and interact with routinely. (Some reasoning about this here: Key signing parties considered useless)

Assuming you are preparing, and therefore signing, a release of Daffodil, here is how to get your keys signed. 

This is all expressed as if I am asking you to sign my keys. 

Here are the steps. 4 linux command lines are involved

Warning: I am not sure how this differs for MS-Windows or Apple users.

Our release process requires those signing releases to put their GPG keys into the KEYS file in Daffodil. 

For example, you can list key IDs for all daffodil people who sign releases as they are listed in the KEYS file in daffodil :

cd daffodil 

gpg --show-keys --keyid-format long --fingerprint < KEYS

Alternatively you can grab the keys file from https://github.com/apache/daffodil/blob/main/KEYS. (That way you won't need a recent daffodil git clone.)


You will see output for several people, each like this one, which is mine.

pub   rsa4096/D87AD4BD985035CD 2022-09-09 [SC]
      Key fingerprint = DB59 C93B 3D71 BEBB 537F  325D D87A D4BD 9850 35CD
uid                            Michael J. Beckerle <mbeckerle@apache.org>
sub   rsa4096/F2811F881B8A5203 2022-09-09 [E]

If you trust that this is my identity you can sign my public key via these steps.

Load my public key into your gpg "keyring", using the "long id" from the "pub" line above for me, which is D87AD4BD985035CD. (Long ID seems to be needed at least by this keyserver)

gpg --keyserver keys.openpgp.org --recv-keys D87AD4BD985035CD

Verify the pub key for me is same as the one you see above from the KEYS file, and then....

 gpg --list-keys --fingerprint D87AD4BD985035CD

You should see the same fingerprint as above from the KEYS file. 

Sign my key with yours. (Someone else signs yours the same way.) Note this is going to prompt you for your private key "pass phrase" allowing it to use your private key. 
Hopefully you still have this pass phrase somewhere protected. Copy the pass phrase (e.g., to the clip-board) before you issue this command:

gpg --sign-key D87AD4BD985035CD

Paste in your pass-phrase when requested.

Finally send the signed-key back to the key server:

gpg --keyserver keys.openpgp.org --send-keys D87AD4BD985035CD

Voila. That's it. 

Note that this last step is somewhat controvercial. Some people say you should not send these directly back to the keyserver, but instead send back to the email on the public key you just signed. 

The details are here: https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84. This seems prudent for signing keys of people who you are not absolutely sure you have the proper email/key for, but an unnecessary additional few steps if you are signing well known keys for people you know well and interact with frequently, and whom you know use the email addresses in the public keys you are signing. 


  • No labels