openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
Date Fri, 05 Aug 2016 16:28:15 GMT
For tracking the [TESTING] of the 4.1.2-patch1 binary for windows, I have created task Issue
<>.  Comment 7 there already speaks
to the untrusted identification situation.

I am adding an abridged version of this message from Carl with the part relevant to certificate
trust.  Note that most of us who have worked on 4.1.2-patch1 and provided digital signatures
will find that identity will be reported as untrusted based on the Web-of-Trust technique
PGP software uses.  We can, of course, verify the fingerprints and Apache account identity
and certify each other.  That will change the status for those of us in this particular circle
but not necessarily for anyone who does not already trust the identification of enough of

I don't think there is any way to get into this in our README files.  However, this is useful
for any future contributions we might make to the page at <>
or anything supplemental that is oriented to the users of Apache OpenOffice and their particular
range of skills.

> -----Original Message-----
> From: Carl Marcum []
> Sent: Friday, August 5, 2016 03:30
> To:
> Subject: Re: [TESTING] Applying openoffice-4.1.2-patch1 for Windows
> On 08/04/2016 06:52 PM, Marcus wrote:
> > Am 08/05/2016 12:26 AM, schrieb Kay Schenk:
> >> On 08/04/2016 02:21 PM, Marcus wrote:
[ ... ]
> >>>>    *
> >>>
> >>> I don't know if this is OK or still bad:
> >>>
> >>> gpg --verify
> >>>
> >>> gpg: Signature made Tue 02 Aug 2016 06:24:08 AM CEST using RSA key
> ID
> >>> D456628A
> >>> gpg: Good signature from " (confirmed identifier)
> >>> <>"
> >>> gpg:                 aka "orcmid (Dennis E.
> Hamilton)<>"
> >>> gpg:                 aka "orcmid Apache (code
> >>> signing)<>"
> >>> gpg:                 aka "Dennis E. Hamilton (orcmid)
> >>> <>"
> >>> gpg: WARNING: This key is not certified with a trusted signature!
> >>> gpg:          There is no indication that the signature belongs to
> the
> >>> owner.
> >>
> >> I get this on sig checks also. There's probably a step we're missing
> to
> >> specify "trust" locally.
> >>
> >> See:
> >>
> >
> signing Dennis' key locally worked for me.
> On Linux I use:
> gpg --default-key 9553BF9A --sign-key D456628A
> If the key you want to sign it with is already the default key you can
> omit the "--default-key 9553BF9A" part.
> Sometimes you may have to prefix the ID's with "0x" to denote hex.
> If you trust this is Dennis' key you can send his key back with your sig
> now attached and it will have more trust.
> gpg --send-key 0xD456628A
> If a few people do it the warning should go away. Web-of-trust  :)
> Carl

The warning will go away for us who have created a mutual Web-of-Trust but it won't help those
who are not in that circle or have not somehow determined to trust in it themselves.  This
is still useful advice about how to do it.

PS: I don't think the dist-level KEYS file is updated automatically, so the release KEYS set
needs to be refreshed to work.  (We can check that by waiting for a while to see if Carl's
trust of Dennis's key shows up.)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message