From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: Who signed gemu-1.7.1.tar.bz2? Date: Wed, 23 Apr 2014 06:43:10 -0700 Message-ID: <5357C36E.1020406@amazon.com> References: <1396485623.79742.YahooMailBasic@web126205.mail.ne1.yahoo.com> <20140422133108.GB5676@stefanha-thinkpad.redhat.com> <20140422143507.27429.58490@loki> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: , To: Michael Roth , Stefan Hajnoczi , Alex Davis Return-path: Received: from smtp-fw-9102.amazon.com ([207.171.184.29]:37614 "EHLO smtp-fw-9102.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756240AbaDWNnv (ORCPT ); Wed, 23 Apr 2014 09:43:51 -0400 In-Reply-To: <20140422143507.27429.58490@loki> Sender: kvm-owner@vger.kernel.org List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/22/14 07:35, Michael Roth wrote: > Quoting Stefan Hajnoczi (2014-04-22 08:31:08) >> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote: >>> and where is their gpg key? >> >> Michael Roth is doing releases: >> >> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584 >> >> >> $ gpg --verify qemu-2.0.0.tar.bz2.sig >> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA >> key ID F108B584 gpg: Good signature from "Michael Roth >> " gpg: aka "Michael Roth >> " gpg: aka "Michael Roth >> " > > Missed the context, but if this is specifically about 1.7.1: > > 1.7.1 was prior to me handling the release tarballs, Anthony > actually did the signing and uploading for that one. I'm a bit > confused though, as the key ID on that tarball is: > > mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg: > Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID > ADF0D2D9 gpg: Can't check signature: public key not found > > I can't seem to locate ADF0D2D9 though: > > http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex > > Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076: > > http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex > > I think maybe Anthony might've signed it with a separate local > key? Yeah, I accidentally signed it with the wrong key. Replacing the signature doesn't seem like the right thing to do since release artifacts should never change. Regards, Anthony Liguori >> >> Stefan > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTV8NqAAoJEBqtxxBWguX/j9oH/3eVb+PgcXhEHICRXNoPyNy8 wiMeNABsTh7xn/wYpUHBxIa0lWWeO/W/6ZFLhfL50C8Nm8fsldEASOB6jngcK1dZ 5jAexApGeN5Q10Bi+reum7/bqCgxaHRmXEO/wyJtlOiC/fxsbdupg04Zk6dO2b5h gRHxkt8uC2DWRJjb8fReR1K96aTPm9SI9GRrNZ9pAHrT6MeF3FOQGkY0hhpPDE6k YPXb8keAlldT0U9h/Du+8m7mMCKMvwa3rRMNSw+lw7Oc5eMRwQzxUB+B4jEJ9f1k +bL7opOcYNgqBxhKzAFgmMqlnwvM55CsWiPRq5L0/68w8qxWRQl+ECPfpJ1O0ac= =/bg9 -----END PGP SIGNATURE-----