Hi Wendy, Thanks for the note. On Jan 27, 2010, at 9:50 AM, Wendy Smoak wrote:
> The message below was posted on the Maven Users list. I confirmed > that the checksum from [1] doesn't match, and then tried to verify the > gpg signature: > > imbrium:Downloads wsmoak$ gpg -v xbean-finder-shaded-3.6.jar.asc > gpg: armor header: Version: GnuPG v1.4.7 (Darwin) > gpg: assuming signed data in `xbean-finder-shaded-3.6.jar' > gpg: Signature made Fri Sep 11 14:26:53 2009 MST using DSA key ID 56F3E01B > gpg: Can't check signature: public key not found > > I have imported http://www.apache.org/dist/geronimo/KEYS and I also > searched http://pgp.mit.edu/ without finding it. > > Can the owner of 56F3E01B / release manager for 3.6 please update the > KEYS file, or let me know where to find it? The signature verifies as signed by David Jencks. And I see his key id in our KEYS file. Can you please re-verify? I do see an error in the MD5 checksum. Pretty sure this occurred because maven 2.2 was used to perform the release -- we ran into this problem with another release (where we detected the problem). Seems we missed the problem in this xbean release. --kevan
