[
https://issues.apache.org/jira/browse/SLING-10775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Klco updated SLING-10775:
-----------------------------
Description:
The PGPSignatureValidator in the committer CLI downloads the keys from
[https://people.apache.org/keys/group/sling.asc], see:
[https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97]
This is not recommended as per [https://people.apache.org/keys/] and it is
currently broken as this URL returns a 404.
Relevant logs:
{{docker run -e ASF_USERNAME -e ASF_PASSWORD apache/sling-cli release verify -r
2520}}
{{ bundle sling-cli:1.0.0.20210901125806280
(24)[org.apache.sling.cli.impl.pgp.PGPSignatureValidator(12)] : The readKeyRing
method has thrown an exception}}
{{ java.lang.IllegalStateException: Sling keys file from /tmp/sling-keys.asc
does not contain any keys.}}
{{ at
org.apache.sling.cli.impl.pgp.PGPSignatureValidator.readKeyRing(PGPSignatureValidator.java:126)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown
Source)}}
{{ at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
Source)}}
{{ at java.base/java.lang.reflect.Method.invoke(Unknown Source)}}
was:
The PGPSignatureValidator in the committer CLI downloads the keys from
https://people.apache.org/keys/group/sling.asc, see:
https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97
This is not recommended as per https://people.apache.org/keys/ and it is
currently broken as this URL returns a 404.
> Committers CLI Uses Missing people.apache.org Keys File
> -------------------------------------------------------
>
> Key: SLING-10775
> URL: https://issues.apache.org/jira/browse/SLING-10775
> Project: Sling
> Issue Type: Bug
> Components: Tooling
> Affects Versions: Committer CLI 1.0.0
> Reporter: Dan Klco
> Priority: Critical
>
> The PGPSignatureValidator in the committer CLI downloads the keys from
> [https://people.apache.org/keys/group/sling.asc], see:
>
> [https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97]
> This is not recommended as per [https://people.apache.org/keys/] and it is
> currently broken as this URL returns a 404.
> Relevant logs:
> {{docker run -e ASF_USERNAME -e ASF_PASSWORD apache/sling-cli release verify
> -r 2520}}
> {{ bundle sling-cli:1.0.0.20210901125806280
> (24)[org.apache.sling.cli.impl.pgp.PGPSignatureValidator(12)] : The
> readKeyRing method has thrown an exception}}
> {{ java.lang.IllegalStateException: Sling keys file from /tmp/sling-keys.asc
> does not contain any keys.}}
> {{ at
> org.apache.sling.cli.impl.pgp.PGPSignatureValidator.readKeyRing(PGPSignatureValidator.java:126)}}
> {{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)}}
> {{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown
> Source)}}
> {{ at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)}}
> {{ at java.base/java.lang.reflect.Method.invoke(Unknown Source)}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
