[jira] [Created] (MYFACES-4401) Download page gpg example needs second parameter

Sebb (Jira) Sun, 16 May 2021 08:46:24 -0700

Sebb created MYFACES-4401:
-----------------------------

             Summary: Download page gpg example needs second parameter
                 Key: MYFACES-4401
                 URL: https://issues.apache.org/jira/browse/MYFACES-4401
             Project: MyFaces Core
          Issue Type: Bug
            Reporter: Sebb



It is important that the file being checked is also specified [1] on the gpg 
command line

For example:

gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc myfaces-core-X.Y.Z-bin.tar.gz

and not

gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc

If the second paramater is omitted, gpg can report success without actually 
checking the main artifact. This should not happen on correctly constructed ASF 
downloads, as we only provide detached sigs, but we should not be documenting 
bad practise.

[1] https://www.apache.org/info/verification.html#specify_both



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (MYFACES-4401) Download page gpg example needs second parameter

Reply via email to