From: Markus Armbruster <armbru@redhat.com>
To: Anthony Liguori <aliguori@amazon.com>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
Alex Davis <alex14641@yahoo.com>,
qemu-devel@nongnu.org, kvm@vger.kernel.org
Subject: Re: [Qemu-devel] Who signed gemu-1.7.1.tar.bz2?
Date: Wed, 23 Apr 2014 16:24:12 +0200 [thread overview]
Message-ID: <87tx9kjf8z.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <5357C36E.1020406@amazon.com> (Anthony Liguori's message of "Wed, 23 Apr 2014 06:43:10 -0700")
Anthony Liguori <aliguori@amazon.com> writes:
> On 04/22/14 07:35, Michael Roth wrote:
>> Quoting Stefan Hajnoczi (2014-04-22 08:31:08)
>>> On Wed, Apr 02, 2014 at 05:40:23PM -0700, Alex Davis wrote:
>>>> and where is their gpg key?
>>>
>>> Michael Roth <mdroth@linux.vnet.ibm.com> is doing releases:
>>>
>>> http://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584
>>>
>>>
>>>
> $ gpg --verify qemu-2.0.0.tar.bz2.sig
>>> gpg: Signature made Thu 17 Apr 2014 03:49:55 PM CEST using RSA
>>> key ID F108B584 gpg: Good signature from "Michael Roth
>>> <flukshun@gmail.com>" gpg: aka "Michael Roth
>>> <mdroth@utexas.edu>" gpg: aka "Michael Roth
>>> <mdroth@linux.vnet.ibm.com>"
>>
>> Missed the context, but if this is specifically about 1.7.1:
>>
>> 1.7.1 was prior to me handling the release tarballs, Anthony
>> actually did the signing and uploading for that one. I'm a bit
>> confused though, as the key ID on that tarball is:
>>
>> mdroth@loki:~/Downloads$ gpg --verify qemu-1.7.1.tar.bz2.sig gpg:
>> Signature made Tue 25 Mar 2014 09:03:24 AM CDT using RSA key ID
>> ADF0D2D9 gpg: Can't check signature: public key not found
>>
>> I can't seem to locate ADF0D2D9 though:
>>
>> http://pgp.mit.edu/pks/lookup?search=0xADF0D2D9&op=vindex
>>
>> Anthony's normal key (for 1.6.0 and 1.7.0 at least) was 7C18C076:
>>
>> http://pgp.mit.edu/pks/lookup?search=0x7C18C076&op=vindex
>>
>> I think maybe Anthony might've signed it with a separate local
>> key?
>
> Yeah, I accidentally signed it with the wrong key. Replacing the
> signature doesn't seem like the right thing to do since release
> artifacts should never change.
You could still publish the key, with some suitable signatures.
prev parent reply other threads:[~2014-04-23 14:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-03 0:40 Who signed gemu-1.7.1.tar.bz2? Alex Davis
2014-04-22 13:31 ` Stefan Hajnoczi
2014-04-22 14:10 ` [Qemu-devel] " Peter Maydell
2014-04-22 14:35 ` Michael Roth
2014-04-23 12:02 ` Stefan Hajnoczi
2014-04-23 13:43 ` Anthony Liguori
2014-04-23 14:24 ` Markus Armbruster [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tx9kjf8z.fsf@blackfin.pond.sub.org \
--to=armbru@redhat.com \
--cc=alex14641@yahoo.com \
--cc=aliguori@amazon.com \
--cc=kvm@vger.kernel.org \
--cc=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox