[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2? |
Date: |
Wed, 23 Apr 2014 14:02:29 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Tue, Apr 22, 2014 at 09:35:07AM -0500, Michael Roth wrote:
> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > > and where is their gpg key?
> >
> > Michael Roth <address@hidden> is doing releases:
> >
> > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> >
> > $ gpg --verify qemu-2.0.0.tar.bz2.sig
> > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> > F108B584
> > gpg: Good signature from "Michael Roth <address@hidden>"
> > gpg: aka "Michael Roth <address@hidden>"
> > gpg: aka "Michael Roth <address@hidden>"
>
> Missed the context, but if this is specifically about 1.7.1:
>
> 1.7.1 was prior to me handling the release tarballs, Anthony actually
> did the signing and uploading for that one. I'm a bit confused though,
> as the key ID on that tarball is:
>
> address@hidden:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig
> gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
> gpg: Can't check signature: public key not found
>
> I can't seem to locate ADF0D2D9 though:
>
> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>
> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>
> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>
> I think maybe Anthony might've signed it with a separate local key?
This is a mess :).
We need a page like this explaining how QEMU releases are signed:
https://www.kernel.org/category/signatures.html
Mike: as release manager, can you post a page like that to the QEMU
wiki?
Thanks,
Stefan