* Who signed gemu-1.7.1.tar.bz2?
@ 2014-04-03 0:40 Alex Davis
2014-04-22 13:31 ` Stefan Hajnoczi
0 siblings, 1 reply; 7+ messages in thread
From: Alex Davis @ 2014-04-03 0:40 UTC (permalink / raw)
To: kvm
and where is their gpg key?
I code, therefore I am
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Who signed gemu-1.7.1.tar.bz2?
2014-04-03 0:40 Who signed gemu-1.7.1.tar.bz2? Alex Davis
@ 2014-04-22 13:31 ` Stefan Hajnoczi
2014-04-22 14:10 ` [Qemu-devel] " Peter Maydell
2014-04-22 14:35 ` Michael Roth
0 siblings, 2 replies; 7+ messages in thread
From: Stefan Hajnoczi @ 2014-04-22 13:31 UTC (permalink / raw)
To: Alex Davis; +Cc: kvm, Michael Roth, qemu-devel
On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> and where is their gpg key?
Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
$ gpg --verify qemu-2.0.0.tar.bz2.sig
gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
F108B584
gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
gpg: aka "Michael Roth <mdroth@utexas.edu>"
gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>"
Stefan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
2014-04-22 13:31 ` Stefan Hajnoczi
@ 2014-04-22 14:10 ` Peter Maydell
2014-04-22 14:35 ` Michael Roth
1 sibling, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2014-04-22 14:10 UTC (permalink / raw)
To: Stefan Hajnoczi; +Cc: Alex Davis, Michael Roth, kvm-devel, QEMU Developers
On 22 April 2014 14:31, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
>> and where is their gpg key?
>
> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
>
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
> gpg: aka "Michael Roth <mdroth@utexas.edu>"
> gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>"
NB that this is different from the key used to sign the 2.0 release tags
in git; that's expected since I did the tagging and Michael did the
tarballs.
thanks
-- PMM
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Who signed gemu-1.7.1.tar.bz2?
2014-04-22 13:31 ` Stefan Hajnoczi
2014-04-22 14:10 ` [Qemu-devel] " Peter Maydell
@ 2014-04-22 14:35 ` Michael Roth
2014-04-23 12:02 ` Stefan Hajnoczi
2014-04-23 13:43 ` Anthony Liguori
1 sibling, 2 replies; 7+ messages in thread
From: Michael Roth @ 2014-04-22 14:35 UTC (permalink / raw)
To: Stefan Hajnoczi, Alex Davis, aliguori; +Cc: kvm, qemu-devel
Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > and where is their gpg key?
>
> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
>
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
> gpg: aka "Michael Roth <mdroth@utexas.edu>"
> gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>"
Missed the context, but if this is specifically about 1.7.1:
1.7.1 was prior to me handling the release tarballs, Anthony actually
did the signing and uploading for that one. I'm a bit confused though,
as the key ID on that tarball is:
mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig
gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
gpg: Can't check signature: public key not found
I can't seem to locate ADF0D2D9 though:
http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
I think maybe Anthony might've signed it with a separate local key?
>
> Stefan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Who signed gemu-1.7.1.tar.bz2?
2014-04-22 14:35 ` Michael Roth
@ 2014-04-23 12:02 ` Stefan Hajnoczi
2014-04-23 13:43 ` Anthony Liguori
1 sibling, 0 replies; 7+ messages in thread
From: Stefan Hajnoczi @ 2014-04-23 12:02 UTC (permalink / raw)
To: Michael Roth; +Cc: Alex Davis, aliguori, kvm, qemu-devel
On Tue, Apr 22, 2014 at 09:35:07AM -0500, Michael Roth wrote:
> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> > On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > > and where is their gpg key?
> >
> > Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
> >
> > http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> >
> > $ gpg --verify qemu-2.0.0.tar.bz2.sig
> > gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> > F108B584
> > gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
> > gpg: aka "Michael Roth <mdroth@utexas.edu>"
> > gpg: aka "Michael Roth <mdroth@linux.vnet.ibm.com>"
>
> Missed the context, but if this is specifically about 1.7.1:
>
> 1.7.1 was prior to me handling the release tarballs, Anthony actually
> did the signing and uploading for that one. I'm a bit confused though,
> as the key ID on that tarball is:
>
> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig
> gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
> gpg: Can't check signature: public key not found
>
> I can't seem to locate ADF0D2D9 though:
>
> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>
> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>
> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>
> I think maybe Anthony might've signed it with a separate local key?
This is a mess :).
We need a page like this explaining how QEMU releases are signed:
https://www.kernel.org/category/signatures.html
Mike: as release manager, can you post a page like that to the QEMU
wiki?
Thanks,
Stefan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Who signed gemu-1.7.1.tar.bz2?
2014-04-22 14:35 ` Michael Roth
2014-04-23 12:02 ` Stefan Hajnoczi
@ 2014-04-23 13:43 ` Anthony Liguori
2014-04-23 14:24 ` [Qemu-devel] " Markus Armbruster
1 sibling, 1 reply; 7+ messages in thread
From: Anthony Liguori @ 2014-04-23 13:43 UTC (permalink / raw)
To: Michael Roth, Stefan Hajnoczi, Alex Davis; +Cc: kvm, qemu-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/22/14 07:35, Michael Roth wrote:
> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
>> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
>>> and where is their gpg key?
>>
>> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
>>
>> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>>
>>
>>
$ gpg --verify qemu-2.0.0.tar.bz2.sig
>> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA
>> key ID F108B584 gpg: Good signature from "Michael Roth
>> <flukshun@gmail.com>" gpg: aka "Michael Roth
>> <mdroth@utexas.edu>" gpg: aka "Michael Roth
>> <mdroth@linux.vnet.ibm.com>"
>
> Missed the context, but if this is specifically about 1.7.1:
>
> 1.7.1 was prior to me handling the release tarballs, Anthony
> actually did the signing and uploading for that one. I'm a bit
> confused though, as the key ID on that tarball is:
>
> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg:
> Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID
> ADF0D2D9 gpg: Can't check signature: public key not found
>
> I can't seem to locate ADF0D2D9 though:
>
> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>
> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>
> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>
> I think maybe Anthony might've signed it with a separate local
> key?
Yeah, I accidentally signed it with the wrong key. Replacing the
signature doesn't seem like the right thing to do since release
artifacts should never change.
Regards,
Anthony Liguori
>>
>> Stefan
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTV8NqAAoJEBqtxxBWguX/j9oH/3eVb+PgcXhEHICRXNoPyNy8
wiMeNABsTh7xn/wYpUHBxIa0lWWeO/W/6ZFLhfL50C8Nm8fsldEASOB6jngcK1dZ
5jAexApGeN5Q10Bi+reum7/bqCgxaHRmXEO/wyJtlOiC/fxsbdupg04Zk6dO2b5h
gRHxkt8uC2DWRJjb8fReR1K96aTPm9SI9GRrNZ9pAHrT6MeF3FOQGkY0hhpPDE6k
YPXb8keAlldT0U9h/Du+8m7mMCKMvwa3rRMNSw+lw7Oc5eMRwQzxUB+B4jEJ9f1k
+bL7opOcYNgqBxhKzAFgmMqlnwvM55CsWiPRq5L0/68w8qxWRQl+ECPfpJ1O0ac=
=/bg9
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
2014-04-23 13:43 ` Anthony Liguori
@ 2014-04-23 14:24 ` Markus Armbruster
0 siblings, 0 replies; 7+ messages in thread
From: Markus Armbruster @ 2014-04-23 14:24 UTC (permalink / raw)
To: Anthony Liguori
Cc: Michael Roth, Stefan Hajnoczi, Alex Davis, qemu-devel, kvm
Anthony Liguori <aliguori@amazon.com> writes:
> On 04/22/14 07:35, Michael Roth wrote:
>> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
>>> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
>>>> and where is their gpg key?
>>>
>>> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
>>>
>>> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>>>
>>>
>>>
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
>>> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA
>>> key ID F108B584 gpg: Good signature from "Michael Roth
>>> <flukshun@gmail.com>" gpg: aka "Michael Roth
>>> <mdroth@utexas.edu>" gpg: aka "Michael Roth
>>> <mdroth@linux.vnet.ibm.com>"
>>
>> Missed the context, but if this is specifically about 1.7.1:
>>
>> 1.7.1 was prior to me handling the release tarballs, Anthony
>> actually did the signing and uploading for that one. I'm a bit
>> confused though, as the key ID on that tarball is:
>>
>> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg:
>> Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID
>> ADF0D2D9 gpg: Can't check signature: public key not found
>>
>> I can't seem to locate ADF0D2D9 though:
>>
>> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>>
>> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>>
>> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>>
>> I think maybe Anthony might've signed it with a separate local
>> key?
>
> Yeah, I accidentally signed it with the wrong key. Replacing the
> signature doesn't seem like the right thing to do since release
> artifacts should never change.
You could still publish the key, with some suitable signatures.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-04-23 14:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-03 0:40 Who signed gemu-1.7.1.tar.bz2? Alex Davis
2014-04-22 13:31 ` Stefan Hajnoczi
2014-04-22 14:10 ` [Qemu-devel] " Peter Maydell
2014-04-22 14:35 ` Michael Roth
2014-04-23 12:02 ` Stefan Hajnoczi
2014-04-23 13:43 ` Anthony Liguori
2014-04-23 14:24 ` [Qemu-devel] " Markus Armbruster
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox