这段旅程令人尴尬地长,这让我觉得我错过了一些明显的东西。我的问题:验证Apache版本是否有更直接的方法?或者更确切地说,我哪里出错了?
我正在尝试按照列出here列出的说明来验证我的Apache Thrift下载。
Mateos-MBP:Thrift.nosync mateo$
gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: key 89AC4BA7DE885DD3: 73 signatures not checked due to missing keys
gpg: key 89AC4BA7DE885DD3: "Sander Striker <striker@apache.org>" not changed
gpg: key 6635B6C0DE885DD3: 10 duplicate signatures removed
gpg: key 6635B6C0DE885DD3: 295 signatures not checked due to missing keys
gpg: key 6635B6C0DE885DD3: "Sander Striker <striker@apache.org>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
Mateos-MBP:Thrift.nosync mateo$ gpg --verify thrift-0.11.0.tar.gz.asc thrift-0.11.0.tar.gz
gpg: Signature made Sun Dec 3 12:24:40 2017 MST
gpg: using RSA key 8CD87F186F06E958EFCA963D76BD340FC4B75865
gpg: Can't check signature: No public key
Mateos-MBP:Thrift.nosync mateo$
好的,显然Thrift需要一个ID为8CD87F186的公钥.... 不是前锋。 (或者这就是黑客想要我思考的东西)所以我看看pgp.mit.edu(未找到)并再次访问keyserver.php.com(未找到)。然后我在谷歌搜索,将我带到Apache Public Key files。我回到合法网站感觉好多了。我发现我的密钥由'jensg'签名,复制/粘贴到我自己的文本文件中,然后验证文件,尽管有一个不可信的签名。是的,任务完成了。
Mateos-MBP:Thrift.nosync mateo$ gpg --verify thrift-0.11.0.tar.gz.asc thrift-0.11.0.tar.gz
gpg: Signature made Sun Dec 3 12:24:40 2017 MST
gpg: using RSA key 8CD87F186F06E958EFCA963D76BD340FC4B75865
gpg: Good signature from "Jens Geyer <jensgeyer@hotmail.com>" [unknown]
gpg: aka "Jens Geyer <jensg@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8CD8 7F18 6F06 E958 EFCA 963D 76BD 340F C4B7 5865
那么,验证Apache版本是否有更直接的方法?