Mark, On 9/29/2011 8:09 AM, Mark Thomas wrote: > On 28/09/2011 14:43, Christopher Schultz wrote: >> Mark, > >> On 9/27/2011 5:36 PM, Mark Thomas wrote: >>> The proposed Apache Tomcat 7.0.22 release is now available for >>> voting. >>> >>> It can be obtained from: >>> http://people.apache.org/~markt/dev/tomcat-7/v7.0.22/ The svn tag >>> is: >>> http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_22/ >>> >>> >>> > The proposed 7.0.21 release is: >>> >>> [ ] Broken - do not release [ ] Beta - go ahead and release as >>> 7.0.22 Beta [X] Stable - go ahead and release as 7.0.22 Stable > >> + MD5 sums match. - GPG verifies with a key that Mark appears to >> use for nothing else, no key signers :( > > Huh? > > $ gpg --verify catalina-jmx-remote.jar.asc catalina-jmx-remote.jar > gpg: Signature made Tue 27 Sep 16:47:07 2011 EDT using RSA key ID 2F6059E7 > gpg: Good signature from "Mark E D Thomas <ma...@apache.org>"
Running --verify wasn't the problem (it verifies). I was talking about other people signing your GPG key. It was also distinct from the other key I had for you (0x33C60243) so I wasn't sure why there were two. Some ASF folks have two, one clearly marked (CODE SIGNING KEY)... it just appears you haven't done the same. Weird... I got no signers when I first obtained your key. Updating the key shows 28 signatures so maybe I was on crack at the time. Or now. > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x10C01C5A2F6059E7 > > That key is very firmly in the ASF web of trust. > > It is also in the KEYS file. Yup, all is well. -chris
signature.asc
Description: OpenPGP digital signature
