[
https://issues.apache.org/jira/browse/TOBAGO-1834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16289469#comment-16289469
]
Sebb commented on TOBAGO-1834:
------------------------------
Yes, GPG works. But it's fragile.
If the sig file includes the data (i.e. the sig is not detached), GPG will
validate just the sig file, and will ignore the archive file.
In that case, GPG will not show the warning message and to most people it will
look as though the archive file has been verified.
See the URL cited earlier.
It's an unlikely scenario, but we should not be publishing incorrect
instructions.
> Please use HTTPS for the KEYS link
> ----------------------------------
>
> Key: TOBAGO-1834
> URL: https://issues.apache.org/jira/browse/TOBAGO-1834
> Project: MyFaces Tobago
> Issue Type: Bug
> Environment: http://myfaces.apache.org/tobago/download.html
> Reporter: Sebb
> Assignee: Udo Schnurpfeil
> Priority: Minor
>
> As the subject says.
> The download page already uses https for hashes and sigs; it needs to also do
> so for the KEYS file please.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
