You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

When people verify the digital signatures on Apache Daffodil jars, we want to avoid them getting the dreaded messages like:

 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

This scary looking warning can be eliminated if the signing keys for our releases are part of the web-of-trust.

Despite "key signing parties", I believe one should only ask for your keys to be signed by people you know and interact with routinely. (Some reasoning about this here: https://baturin.org/notes/signing-parties/)

Assuming you are preparing, and therefore signing, a release of Daffodil, here is how to get your keys signed. 

This is all expressed as if I am asking you to sign my keys. 

Here are the steps. 4 linux command lines are involved

Warning: I am not sure how this differs for MS-Windows or Apple users.

Our release process requires those signing releases to put their GPG keys into the KEYS file in Daffodil. 

For example, you can list key IDs for all daffodil people who sign releases as they are listed in the KEYS file in daffodil :

cd daffodil 

gpg --show-keys --keyid-format long --fingerprint < KEYS

Alternatively you can grab the keys file from https://github.com/apache/daffodil/blob/main/KEYS. (That way you won't need a recent daffodil git clone.)


You will see output for several people, each like this one, which is mine.

pub   rsa4096/274B8F1413A680AF 2018-08-16 [SC]
          Key fingerprint = 4B6A 956D 3ED3 6502 6880  2E37 274B 8F14 13A6 80AF
uid                            Michael J. Beckerle (Code Signing Key) <mbeckerle@...>

If you trust that this is my identity you can sign my public key via these steps.

Load my public key into your gpg "keyring", using the "long id" from the "pub" line above for me, which is 274B8F1413A680AF. (Long ID seems to be needed at least by this keyserver)

gpg --keyserver keys.openpgp.org --recv-keys 274B8F1413A680AF

Verify the pub key for me is same as the one you see above from the KEYS file, and then....

 gpg --list-keys --fingerprint 274B8F1413A680AF

You should see the same fingerprint as above from the KEYS file. 

Sign my key with yours. (Someone else signs yours the same way.) Note this is going to prompt you for your private key "pass phrase" allowing it to use your private key. 
Hopefully you still have this pass phrase somewhere protected. Copy the pass phrase (e.g., to the clip-board) before you issue this command:

gpg --sign-key 274B8F1413A680AF

Paste in your pass-phrase when requested.

Finally send the signed-key back to the key server:

gpg --keyserver keys.openpgp.org --send-keys 274B8F1413A680AF

Voila. That's it. 


  • No labels