It may be that everyone is ignoring Justin, so I thought I would provide
the link;

The names of signature and checksum files *MUST* be formed by adding to the
name of the artifact the following suffixes:

.asc for a (ASCII armored) PGP signature
.sha1 for a SHA-1 checksum
.sha256 for a SHA-256 checksum
.sha512 for a SHA-512 checksum

This is not the case for

I also can't easily find the KEYS file that MUST be published on website
(typically on download page, otherwise in repository root).

You WILL get a friendly correction from someone in Infra, probably Henk
Penning, who is the long standing (for decades) security/crypto pillar of
the foundation. It is a lot easier to simply change the file name according
before that.

HTH & Cheers

On Wed, Mar 14, 2018 at 5:56 AM, Justin Mclean <>

> Hi,
> The sha files have the wrong extension, I mentioned that some time ago
> here. [1] The extension maters due to how hashes and the mirror system
> interact.
> They can be easily renamed to be correct (i.e.ending in .sha512 not
> .SHA-512) and there’s no need to revote/make another RC due to this.
> Thanks,
> Justin
> 1.

Niclas Hedhman, Software Developer - New Energy for Java

Reply via email to