Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Using GPG to securely install Jetty

FWIW, that is me :)

Key fingerprint = 5DE5 33CB 43DA F8BC 3E37  2283 E7AE 839C D7C5 8886
uid Jesse McConnell (signing key) <jesse.mcconnell@xxxxxxxxx>

I have advocated a key signing setup at the Eclipse Foundation before
but there was no interest in extending the circle of trust behind the
foundation key which is a palaver to use and not suitable for a normal
maven release process like ours.

I will float the idea of the rest of the jetty developers doing a
signing party though, probably long overdue.


jesse mcconnell

On Fri, Oct 3, 2014 at 3:25 PM, Rob Nikander <rob.nikander@xxxxxxxxx> wrote:
> Hi,
> If I download the main Jetty tar.gz
> (, and then the signature
> file, and then run `gpg --verify` ... it says it's a good signature, but how
> do I know it wasn't just tampered with and resigned by some random person?
> How do I know that this is the right key?
> gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID
> D7C58886
> gpg: Good signature from "Jesse McConnell (signing key)
> <jesse.mcconnell@xxxxxxxxx>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37  2283 E7AE 839C D7C5 8886
> Rob
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit

Back to the top