Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Using GPG to securely install Jetty

Hi,

If I download the main Jetty tar.gz (http://download.eclipse.org/jetty/stable-9/dist/), and then the signature file, and then run `gpg --verify` ... it says it's a good signature, but how do I know it wasn't just tampered with and resigned by some random person? How do I know that this is the right key?

gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID D7C58886
gpg: Good signature from "Jesse McConnell (signing key) <jesse.mcconnell@xxxxxxxxx>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37  2283 E7AE 839C D7C5 8886

Rob

Back to the top