It may be that everyone is ignoring Justin, so I thought I would provide the link; http://www.apache.org/dev/release-distribution.html#sigs-and-sums
<quote> The names of signature and checksum files *MUST* be formed by adding to the name of the artifact the following suffixes: .asc for a (ASCII armored) PGP signature .sha1 for a SHA-1 checksum .sha256 for a SHA-256 checksum .sha512 for a SHA-512 checksum </quote> This is not the case for https://dist.apache.org/repos/ dist/dev/royale/0.9.2/rc2 <https://dist.apache.org/repos/dist/dev/royale/0.9.2/rc2/apache-royale-0.9.2-src.zip> I also can't easily find the KEYS file that MUST be published on website (typically on download page, otherwise in repository root). You WILL get a friendly correction from someone in Infra, probably Henk Penning, who is the long standing (for decades) security/crypto pillar of the foundation. It is a lot easier to simply change the file name according before that. HTH & Cheers Niclas On Wed, Mar 14, 2018 at 5:56 AM, Justin Mclean <jus...@classsoftware.com> wrote: > Hi, > > The sha files have the wrong extension, I mentioned that some time ago > here. [1] The extension maters due to how hashes and the mirror system > interact. > > They can be easily renamed to be correct (i.e.ending in .sha512 not > .SHA-512) and there’s no need to revote/make another RC due to this. > > Thanks, > Justin > > 1. https://lists.apache.org/thread.html/dbe6370c0a088be60b2f28ac05819c > 89e4cc5b688ecbe82fc00fe73c@%3Cdev.royale.apache.org%3E -- Niclas Hedhman, Software Developer http://polygene.apache.org - New Energy for Java