On 7/18/21 11:43 PM, Emmanuel Lécharny wrote: > My +1. > > A few remarks: > - your GPG keys does not seem to be trusted (this is when I use the asc > file to check the signature). I typically get: > > $ gpg --verify > ~/Downloads/org.apache.directory.studio.parent-2.0.0.v20210717-M17-source-release.zip.asc > org.apache.directory.studio.parent-2.0.0.v20210717-M17-source-release.zip > gpg: Signature made Sat Jul 17 19:59:37 2021 CEST > gpg: using RSA key 63CE676698B26D3A36D77527223BD93328686142 > gpg: Good signature from "Stefan Seelmann (CODE SIGNING KEY) > <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 63CE 6766 98B2 6D3A 36D7 7527 223B D933 2868 6142 > > Not sure that is a big deal.
I never attended a key signing party with that key, so it's not in the web-of-trust. And you probably also didn't mark my key as trusted (which you shouldn't do). So based on the KEYS file that you imported only the valid signature can be verified. I think it's plain normal and conform to https://infra.apache.org/release-signing.html. > - The packages are signed using asc, SHA1 and MD5. The two last are > deprecated and should be replaced by SHA 256/512 Hm, but SHA1 and MD5 are only used for the artifacts in the Maven repo, right? The packages at https://dist.apache.org/repos/dist/dev/directory/studio/2.0.0.v20210717-M17/ only use SHA 256 and SHA 512. Is there a way now to also use the stronger hash methods with Maven? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
