[jira] [Commented] (MYFACES-4401) Download page gpg example needs second parameter

Sebb (Jira) Wed, 19 May 2021 04:07:19 -0700


    [ 
https://issues.apache.org/jira/browse/MYFACES-4401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17347590#comment-17347590
 ]


Sebb commented on MYFACES-4401:
-------------------------------

Why not link to 
https://www.apache.org/info/verification.html#CheckingSignatures for details on 
how to check sigs?

> Download page gpg example needs second parameter
> ------------------------------------------------
>
>                 Key: MYFACES-4401
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4401
>             Project: MyFaces Core
>          Issue Type: Bug
>            Reporter: Sebb
>            Priority: Major
>
> It is important that the file being checked is also specified [1] on the gpg 
> command line
> For example:
> gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc myfaces-core-X.Y.Z-bin.tar.gz
> and not
> gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc
> If the second paramater is omitted, gpg can report success without actually 
> checking the main artifact. This should not happen on correctly constructed 
> ASF downloads, as we only provide detached sigs, but we should not be 
> documenting bad practise.
> [1] https://www.apache.org/info/verification.html#specify_both



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MYFACES-4401) Download page gpg example needs second parameter

Reply via email to