Ralf Philipp Weinmann
2010-Apr-07 22:28 UTC
[Xen-users] PGP key for signature on xen-4.0.0.tar.gz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi *, I''ve been wanting to play with the xen-4.0.0 release. Having downloaded the xen-4.0.0 tarball and the corresponding digital signature from [1], I tried to verify the signature of the tarball using GnuPG: - -- snip -- $ gpg --verify xen-4.0.0.tar.gz.sig gpg: Signature made Wed 07 Apr 2010 06:14:55 PM CEST using RSA key ID 57E82BD9 gpg: Can''t check signature: public key not found - -- snap -- I can''t find this key anywhere. Neither on xen.org nor on the xensource.com pages. Nothing on the key servers either. How are Xen users supposed to verify the authenticity of the released sources if the signing key isn''t published anywhere? Here are the SHA-1 checksums of the files I downloaded: SHA1(xen-4.0.0.tar.gz)= bf2430c896aed0deae99b1b8c3fa73e8aaf125ee SHA1(xen-4.0.0.tar.gz.sig)= fb0b20c9a90615b9299af026f25dd48cfe1b11f8 Cheers, Ralf [1] Xen Hypervisor 4.0.0 Download http://www.xen.org/products/xen_source.html -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAku9BvQACgkQFZzr6u/Nmwa+oACePBipKNKHrH6bhyrK3zORvfTi /skAoJPE8gZc152zK5B+L7x1xRYfz8JM =kfaA -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Pasi Kärkkäinen
2010-Apr-08 14:25 UTC
Re: [Xen-users] PGP key for signature on xen-4.0.0.tar.gz
Hello, Added xen-devel to CC.. -- Pasi On Thu, Apr 08, 2010 at 12:28:05AM +0200, Ralf Philipp Weinmann wrote:> Hi *, > > I''ve been wanting to play with the xen-4.0.0 release. Having downloaded the > xen-4.0.0 tarball and the corresponding digital signature from [1], I tried > to verify the signature of the tarball using GnuPG: > > -- snip -- > > $ gpg --verify xen-4.0.0.tar.gz.sig > gpg: Signature made Wed 07 Apr 2010 06:14:55 PM CEST using RSA key ID 57E82BD9 > gpg: Can''t check signature: public key not found > > -- snap -- > > I can''t find this key anywhere. Neither on xen.org nor on the xensource.com > pages. Nothing on the key servers either. How are Xen users supposed to verify > the authenticity of the released sources if the signing key isn''t published > anywhere? > > Here are the SHA-1 checksums of the files I downloaded: > > SHA1(xen-4.0.0.tar.gz)= bf2430c896aed0deae99b1b8c3fa73e8aaf125ee > SHA1(xen-4.0.0.tar.gz.sig)= fb0b20c9a90615b9299af026f25dd48cfe1b11f8 > > Cheers, > Ralf > > [1] Xen Hypervisor 4.0.0 Download > http://www.xen.org/products/xen_source.html > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Keir Fraser
2010-Apr-08 14:51 UTC
Re: [Xen-devel] Re: [Xen-users] PGP key for signature on xen-4.0.0.tar.gz
Hi, The public keys are as follows. This includes the master key, used for signing the sub keys which sign qemu-xen*.git and xen-*.hg releases, respectively. So there should be three public keys in total. Ian Jackson is going to publish these on the xen.org website too. -- Keir -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) mQINBEu7OrwBEADCY30oyubuYEDzYZi3JZXIw220fUaQsKeWmS4C1K+G1SYsoPgO U01Z8sHZzycgU7nF/bRx75PP1Pq8xq0SC8i7Y66kGtxQQxBy7nz4gMiD9KCK9H2q ejg9cCuvcirpoHhc0OLurqGUQwWT2fNwAvgCdGRllfNH7L9XwNUcYxKfRFSqobXO Cl7IAQ/5alxXHhm5BEYjkS/QKWA7NCFmLN4UPxri1pf6S6BcsamZC1qmbcw1LK1E JMUE2ujS/VLaYkQDaJnvwW9gciKfgWITOO8V8lfJkIL1RT4iop5bRjrMKUnkpMNm jMWujk00LOyTmBxboNIKXw10lIQKcmlCVM//SR4qzDFgKVkWuI8yo8blrZWYyMQu LVHLUjdffi+eJ3uVRzvmB+nz9eJOahe0o73Zu1yOTf490f0QonxIF7SMdy15ntX/ SEvxBCUa+5CdUYkgpxSW10ulcT7EQmoFiPqKM6PnvenQLzH12mtMyslYbobAEloo ZjRravXqjWRlVtEe7GcCQ1RaIY6zCEcjoZpNVlOdWSumf9ASCTrMnStS4PyjaXoP gRzGumu2Td+okZdBQieFyLPfyYGIe1UY3ZEe9uwPXGJxjbxmbQR4gHCdyvGvAVPV 34rCInvmqUPv6K4BbcIjxBym5S/JmbnHiVOVR5+qIOZdTTaK7Kb8F581VQARAQAB tFBYZW4ub3JnIG1hc3RlciBrZXkgKGNlcnRpZmljYXRpb24gZm9yIGNvZGUgc2ln bmluZyBhbmQgb3RoZXIga2V5cykgPHBncEB4ZW4ub3JnPokCNgQTAQIAIAUCS7s6 vAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJELMELbt5utnYi8gP/jcLXn9h y3yA2NExJWLdqxIObB45T5sUnGCfD6pqKxdgul1qoE4GhNKkeTPwT2mqUS57Ijie ovSqzk8iGXIDBtUgTXYyTLFTsbt2ypBsban3vgRPud0W5xhYQSufN7MUjnA7UThk PG+1yjKIPqxt07OeIXakNoLe1IQ/DCjPmcK8Y2Tjtp+/La8qDA8t0LPsbe3FsIz2 S8VZoOSaNa69ipRb2XbH85ZZuBk/q2on3rhYUN7ktilmGPF0YjiE5b/v6vTS7yO6 JlCY/ok9A/v7PStuLIyiMde6IdlxVnZczgvKUW7BsLqT/4f524FBx/uR31A0j9jH nCwNUgF0ud9ERCj2bpXrdxfZteYFSo4hgl0UoxXjJ6FKSzrTUIsx/wqb+N5O6JPZ HAGod/Y9+Pa6UFiVfWWHhV/FSQbDsS3FkSK29yX4SDCtnSe+grW4DZKlB9/MKbLg i0FP+s+zyy00o3yye7SwKEdzaU9aKQJ9/Z5FxOODSz1RV7BNh6EhdWSvg9IIopp8 arTRLNzCnjOEec+Gfa2Jbf91Uu6FfhqalDhDQasMXbTLTtzoA1HpW4h+JIrAgmjN roQ5Ztw//FBhlw4DysMMGvJ3Q7LvQ19z/t55l6ACxm57uNpxI6AeyvO7cvX5E9BB cp2znT4/vUrMbgSukGCjFIuo+BemB3oHNDgXiEYEEBECAAYFAku7SIAACgkQcqIM kQcsO8ezCACdGIM/JwyyosiwbXPkZ7UTrNljWokAni+/DVTalilomIxxDs9cNZQQ OYAtmQENBEu7PVUBCADN/1+JPpAxp3fDk8jZQ3cUKA3W0maOlyI/4+nlDai1gh83 m9CNuGyY5kYLPBIR/sdG2hN5TVxTcE8qPCD9MivJXzOhBAmhQl0eXra0qmBBNu9k v+ZPqtPORPg2Jch1zZL5jOMawIE0xARZPgu21rPKNJo7V+HejWAHh0/LfFxzzI8L Z1LJACUuHEgfDJEi+u2wxDfjVaTO8HluNXm4TUIr16ExTx+61VDIE9qd3ikXkHgj p8xFsH0qG5IfcFDTPx9L2Fyk0utTnuNW014P4R31n32U9OolFm1MyOzWrMwVBoTi 34aEnJRT6Aq/WaRfhjIWWkxhWnUgFbPPjMAkWL9fABEBAAG0WFhlbi5vcmcgWGVu IHRyZWUgY29kZSBzaWduaW5nIChzaWduYXR1cmVzIG9uIHRoZSB4ZW4gaHlwZXJ2 aXNvciBhbmQgdG9vbHMpIDxwZ3BAeGVuLm9yZz6JATYEEwECACAFAku7PVUCGwMG CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCD/hTJV+gr2WzLB/407NC1PxqLka5I z+9XjrhDf49du4WDW3g5kzXJSM9DyIbNDo7GuIbupz2ZCri54hwUoEqNzB8GGGM7 oqmghTeCbaEQGT7VaVD7Bo/6oF3koEgb9IClpEziHaagLZSQr6NkICNqguvLUQ5a 2iwMl9RK7fxxsfLgCeOGuEaK4QZkiblrdDYhLi65VqESXnIfxu1TuoAtAi82sZsc Ltx7k32agmJ5zRFILMwIvikoXWVDGZMH37haXeh/PqYLhaiGhrF0CFgRtfhVQovZ HYjexJnvDMc++ZykJ5hLD/ndafbgsyLotuJnt1xlz8PXau3AgyF2b/oquUou8zD5 u+ku+GMniQIcBBABAgAGBQJLu0hUAAoJELMELbt5utnYmP0P/1mYZ/ZBOukSkSte k8/gPk90j6gFoEtnUCQJV3gan4oB+d+7dgJJg2F+l29yu29c3rGVSwqeeasjxRSZ MchG6BJYVeSufxIielTnlrR2pv4W4hoPsAlrEupOjOLk6ibfNncLg4iKAaLXSF0M wD08GngyYVQZyB3cCn+9FpVBSrzqrcrBQTns4k5Cm2//jJyL6cfinDvn3vaJ196X YJBQcjPm/dUoMFsqajQx7r75whSVKVYitLw5dBCvFPFdLpIz2yMDnY4p5FKsmXfM Sdyc6QpNVeXDknEh2jU6gnTUmOBBCG7M6EIe/fnj1moK7RyP1sP/DAjpIUYcnAwd zo0T9AUMfzEB/s+xBFRilsedTtilJh6/bZwSIAChtcPDn8pxCLo4ic/PcqIMX7qE 445ItfMZP+z0QX/I9qroCECbh3WXks/gNo4HgIBVbCErSfdteqEWPkt2wZwpjbzC ONArJWtsuJxiaZMtUrMXr/wYPMFBehNFYvf4pu+FVwGdSZQvKYXcM4qdIts0MOgK 5vb7HYD6iu/ZGfAAKcjQIW6P36uoU+7lZ337Oxy7YCIF+N8typOrWbg72VJsZZ4M 6zJvSL3JmpvlKc06GOEWsnSOCokbTTXHQlKd9JUhA5FLNS5T/d2RHyPxE4uvvUy4 hcudS7OIRuqcs8aSYrz+EabNqp1vmQENBEu7PYwBCACwG7MyFYjCre3TomOabscE q9Q714qFLnU6l6ZSGlDvJnNYaP0CvC8Cm5pJ0BrJxqoF8C1DqYOtF8jB8w4uJnKk R72xh+QNgqlOVcQD9jKmP79WmW+1QX4wmLTHOkQuZbFfWUUaAa99FpVmhyW8GvnR UszeIRqrLzT6OJIFlac1R7IEQdxyVbq2oqU5gqtfM4WGRGCsHpgAIEtxp9g9y8s6 D/eF8xFiv4iUiRx/9ztTrIFvTYhnnQHl8+krdAqKykG+WMQ23Kld4YNSfnznC8IA 7nz90/nvjN9bByAt4JerAAx0yyQy48kwn6qkVobA85yWFUdIcAC0FutIAKm/EwFt ABEBAAG0Tlhlbi5vcmcgcWVtdS14ZW4gY29kZSBzaWduaW5nIChzaWduYXR1cmVz IG9uIHFlbXUteGVuIGFrYSBpb2VtdSkgPHBncEB4ZW4ub3JnPokBNgQTAQIAIAUC S7s9jAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEDbIFxfY27E2F00H/Rju lYG4G7GWyl+O9QWBd63Fr/HRy3p5ODbreDvnk9zx/k/dj2rts2a1F4d7/OlTUHXx JbjR7Nmoj9dWDsaE9g9HRYeUIYbiV+z6l5Njk3APqTGrFqKT76fRRZO6PwLyOHs/ EET33FZsPXua23ZRnlUvihfKsjO4Od7RUAbUmAUNOXOMm0B2mWfmf2/BmYomnQCM 1UmhShODtSBaBnBnhNQTDo/F9T9+Kfz06iirhuGPCgTn1kDuD0EmrxoFwaIbL/QH +Mhtm7+q0rE1ao0GVrcIgwWxrKibL6jwQHt2sQ4fWEH+JoHNC5MtFqb/NIIPEbpk NijqKuZDHMfLE2R3Y26JAhwEEAECAAYFAku7SF0ACgkQswQtu3m62dgZJRAAlX6g 5CaYewCvAFpuDOA+Umm45xLiK4xD21Nm/iojFbHqtIogZvVwmUupFSczJx68bV7H a9DKX/fHLtFaP1f5P+tDCYbdoff9gOpXlJQGhizCS5aT+fGigjjDgVc7erYks4cp rhKr0nOMvoKAE+J/hky6hA2cqfyoPv20Wif1lqaKzQXwL0qo6TsT6/giRB6hOsQO YLS62twRjbquuH+uO3kkuWbNQpHnf7XMzptUjeXnm8mW36LxZX0Lm1B/R9mXPB0q xax3GZMb960BbpOx3e0N+uxVJsGpEndiNifNuXeUakhJPGcIinKGsJZNYgVDUPMO Txf/QEg0zf/CgEJ2VxUl8QeHCbWtbABZMT3yak6FSvo+/Fy/AzMquKC6oFvHleeo MigjXI2eK/rsAk94sfkVneaZfM18tUPq8Ieq8YQfyXuXkouxULJ1D3Kh17QTOMPe ipOUN4DvgWHP538YHoGsdIP4T4ZO8VoV7sxlsf8/GcfQoJNK0aXiz0WeEAf8sCk3 SvXZZOo/dg1wwCybGnRPdDccpDmy/z7D+tMAgqn7e6bDiz3CqQxnfyealpVvV9I1 D9ulM0dCbTB4K+4S8ziKVLGIJ55wHq5VUhQSnWISiKE5NZh/Yt1+BAvuYrTu+pBi GuDcc1dXNLzyR+lb9IV7oL6a2Mm3EbwGisQMRPQ=iNga -----END PGP PUBLIC KEY BLOCK----- On 08/04/2010 15:25, "Pasi Kärkkäinen" <pasik@iki.fi> wrote:> Hello, > > Added xen-devel to CC.. > > -- Pasi > > On Thu, Apr 08, 2010 at 12:28:05AM +0200, Ralf Philipp Weinmann wrote: >> Hi *, >> >> I''ve been wanting to play with the xen-4.0.0 release. Having downloaded the >> xen-4.0.0 tarball and the corresponding digital signature from [1], I tried >> to verify the signature of the tarball using GnuPG: >> >> -- snip -- >> >> $ gpg --verify xen-4.0.0.tar.gz.sig >> gpg: Signature made Wed 07 Apr 2010 06:14:55 PM CEST using RSA key ID >> 57E82BD9 >> gpg: Can''t check signature: public key not found >> >> -- snap -- >> >> I can''t find this key anywhere. Neither on xen.org nor on the xensource.com >> pages. Nothing on the key servers either. How are Xen users supposed to >> verify >> the authenticity of the released sources if the signing key isn''t published >> anywhere? >> >> Here are the SHA-1 checksums of the files I downloaded: >> >> SHA1(xen-4.0.0.tar.gz)= bf2430c896aed0deae99b1b8c3fa73e8aaf125ee >> SHA1(xen-4.0.0.tar.gz.sig)= fb0b20c9a90615b9299af026f25dd48cfe1b11f8 >> >> Cheers, >> Ralf >> >> [1] Xen Hypervisor 4.0.0 Download >> http://www.xen.org/products/xen_source.html >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel