From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Subject: Re: Who signed gemu-1.7.1.tar.bz2?
Date: Tue, 22 Apr 2014 09:35:07 -0500
Message-ID: <20140422143507.27429.58490@loki>
References: <1396485623.79742.YahooMailBasic@web126205.mail.ne1.yahoo.com>
 <20140422133108.GB5676@stefanha-thinkpad.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8BIT
Cc: kvm@vger.kernel.org, qemu-devel@nongnu.org
To: Stefan Hajnoczi <stefanha@gmail.com>,
	"Alex Davis" <alex14641@yahoo.com>, aliguori@amazon.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from e34.co.us.ibm.com ([32.97.110.152]:35985 "EHLO
	e34.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753035AbaDVOgQ convert rfc822-to-8bit (ORCPT
	<rfc822;kvm@vger.kernel.org>); Tue, 22 Apr 2014 10:36:16 -0400
Received: from /spool/local
	by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
	for <kvm@vger.kernel.org> from <mdroth@linux.vnet.ibm.com>;
	Tue, 22 Apr 2014 08:36:15 -0600
Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id 167823E40044
	for <kvm@vger.kernel.org>; Tue, 22 Apr 2014 08:36:13 -0600 (MDT)
Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168])
	by b03cxnp08026.gho.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s3MEZKpD66846920
	for <kvm@vger.kernel.org>; Tue, 22 Apr 2014 16:35:28 +0200
Received: from d03av02.boulder.ibm.com (localhost [127.0.0.1])
	by d03av02.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s3MEZdS2011393
	for <kvm@vger.kernel.org>; Tue, 22 Apr 2014 08:35:40 -0600
In-Reply-To: <20140422133108.GB5676@stefanha-thinkpad.redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
> > and where is their gpg key?
> 
> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
> 
> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
> 
> $ gpg --verify qemu-2.0.0.tar.bz2.sig 
> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA key ID
> F108B584
> gpg: Good signature from "Michael Roth <flukshun@gmail.com>"
> gpg:                 aka "Michael Roth <mdroth@utexas.edu>"
> gpg:                 aka "Michael Roth <mdroth@linux.vnet.ibm.com>"

Missed the context, but if this is specifically about 1.7.1:

1.7.1 was prior to me handling the release tarballs, Anthony actually
did the signing and uploading for that one. I'm a bit confused though,
as the key ID on that tarball is:

mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig 
gpg: Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID ADF0D2D9
gpg: Can't check signature: public key not found

I can't seem to locate ADF0D2D9 though:

  http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex

Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:

  http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex

I think maybe Anthony might've signed it with a separate local key?

> 
> Stefan