Thanks, that's working now. We will have to find a way of updating http://www.apache.org/dist/shiro/KEYS though, as otherwise users won't be able to reliably check the signature on the releases.
+1 from me on the release. Colm. On Fri, Feb 7, 2020 at 4:31 PM Brian Demers <[email protected]> wrote: > Hey sorry everyone, I should have checked that copy's expiration before > responding to Colm. > > repository.apache.org uses the following key servers: > https://keyserver.ubuntu.com/ > http://pool.sks-keyservers.net/ > (And checks the signatures when a staging repository is closed) > You can grab my key from either of those servers (which was previously > extended and is valid until 2021). > > I attempted to update the old SVN copy of `KEYS` but it looks like it is > read-only (now that we have moved to git). > > TL;DR: I shared the wrong link, use one of the key servers above. > > Sorry for the confusion, > -Brian > > On Fri, Feb 7, 2020 at 9:50 AM Benjamin Marwell <[email protected]> > wrote: > >> Good catch! >> >> Yes, this would change my vote as well to -1 until the key is extended. >> >> Non binding. >> >> >> >> >> On Fri, 7 Feb 2020, 12:18 Colm O hEigeartaigh, <[email protected]> >> wrote: >> >> > Hi Brian, >> > >> > Looks like this is the problem: >> > >> > gpg: assuming signed data in 'shiro-root-1.5.1-source-release.zip' >> > gpg: Signature made Mon 03 Feb 2020 21:02:40 GMT >> > gpg: using DSA key >> 9C1FC83FF3B877CDE53B337C525875B36BFC416A >> > gpg: Good signature from "Brian Demers <[email protected]>" >> [expired] >> > gpg: Note: This key has expired! >> > >> > "sub 4096g/AD11985E 2009-12-10 [expires: 2015-01-03] >> > sig 6BFC416A 2012-01-04 Brian Demers <[email protected] >> >" >> > >> > I think I'll have to -1 the vote as the signing keys have expired... >> > >> > Colm. >> > >> > On Thu, Feb 6, 2020 at 6:32 PM Brian Demers <[email protected]> >> > wrote: >> > >> > > >> > > Which key server are you using? >> > > >> > > My pub key should also be included here: >> > > https://svn.apache.org/repos/asf/shiro/KEYS >> > > >> > > >> > > On Thu, Feb 6, 2020 at 5:34 AM Colm O hEigeartaigh < >> [email protected]> >> > > wrote: >> > > >> > >> Hi Brian, >> > >> >> > >> Just a query on the key you used to sign the release: >> > >> >> > >> >> > >> https://repository.apache.org/content/repositories/orgapacheshiro-1025/org/apache/shiro/shiro-root/1.5.1/shiro-root-1.5.1-source-release.zip.asc >> > >> >> > >> When I try to verify with gpg I get: gpg: Can't check signature: No >> > public >> > >> key >> > >> >> > >> Contrast for example with the signature for 1.5.0: >> > >> >> > >> >> > >> https://repo.maven.apache.org/maven2/org/apache/shiro/shiro-root/1.5.0/shiro-root-1.5.0-source-release.zip.asc >> > >> >> > >> Colm. >> > >> >> > >> On Tue, Feb 4, 2020 at 4:02 PM Les Hazlewood <[email protected]> >> > >> wrote: >> > >> >> > >> > +1 (binding) >> > >> > >> > >> > On Mon, Feb 3, 2020 at 1:37 PM Brian Demers <[email protected]> >> > wrote: >> > >> > >> > >> > > This is a call to vote in favor of releasing Apache Shiro version >> > >> 1.5.1. >> > >> > > >> > >> > > The 3 issues solved for 1.5.1: >> > >> > > >> > >> > > >> > >> > > >> > >> > >> > >> >> > >> https://issues.apache.org/jira/issues/?jql=project%20%3D%20SHIRO%20AND%20fixVersion%20%3D%20%221.5.1%22%20AND%20(status%20!%3D%20Open%20and%20status%20!%3D%20%22In%20Progress%22)%20ORDER%20BY%20priority%20DESC >> > >> > > >> > >> > > The source to be voted upon: >> > >> > > >> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1 >> > >> > > (8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >> > >> > > < >> > >> > >> > >> >> > >> https://github.com/apache/shiro/tree/shiro-root-1.5.1-release-vote1(8024450868cb5cd0d9a8cc3a481ce17cd77d37f2 >> > >> > > >> > >> > > ) >> > >> > > >> > >> > > Staging repo for binaries: >> > >> > > >> > >> >> https://repository.apache.org/content/repositories/orgapacheshiro-1025 >> > >> > > >> > >> > > Project website (just for informational purposes, not to be voted >> > >> upon): >> > >> > > http://shiro.apache.org/ >> > >> > > >> > >> > > Guide to testing staged releases: >> > >> > > >> > >> >> http://maven.apache.org/guides/development/guide-testing-releases.html >> > >> > > >> > >> > > Vote open for 72 hours. Please do examine the source and binaries >> > >> before >> > >> > > voting. >> > >> > > >> > >> > > [ ] +1 >> > >> > > [ ] +0 >> > >> > > [ ] -1 (please include reasoning) >> > >> > > >> > >> > >> > >> >> > > >> > >> >
