[
https://issues.apache.org/jira/browse/MYFACES-4401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17346258#comment-17346258
]
Volodymyr Siedlecki commented on MYFACES-4401:
----------------------------------------------
[https://github.com/apache/myfaces-homepage/pull/31]
I'm not sure about pgp command. Let me see if I need to update that as well
before merging.
> Download page gpg example needs second parameter
> ------------------------------------------------
>
> Key: MYFACES-4401
> URL: https://issues.apache.org/jira/browse/MYFACES-4401
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> It is important that the file being checked is also specified [1] on the gpg
> command line
> For example:
> gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc myfaces-core-X.Y.Z-bin.tar.gz
> and not
> gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc
> If the second paramater is omitted, gpg can report success without actually
> checking the main artifact. This should not happen on correctly constructed
> ASF downloads, as we only provide detached sigs, but we should not be
> documenting bad practise.
> [1] https://www.apache.org/info/verification.html#specify_both
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
