[
https://issues.apache.org/jira/browse/SLING-9173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415401#comment-17415401
]
Bertrand Delacretaz edited comment on SLING-9173 at 9/15/21, 9:28 AM:
----------------------------------------------------------------------
Not sure if that's what you are asking, but the following works for me: first
failing, then importing a key from that KEYS file and then succeeding.
The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my
default keyring, for this example, you usually do not need them.
The "not certified with a trusted signature" bit means we don't know whether
that key actually belongs to Justin, which is the case for all keys which do
not have a web of trust connection to the key of the current user. But GPG did
verify that the signature matches the jar file.
{code:java}
$ wget
https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar
$ wget
https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc
$ gpg --no-default-keyring --keyring /tmp/kr --verify
adapter-annotations-1.0.0-javadoc.jar.asc
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg: using DSA key 87DBF05A134B145C
gpg: Can't check signature: No public key
$ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring
--keyring /tmp/kr --import
...
gpg: Total number processed: 38
gpg: imported: 38
$ gpg --no-default-keyring --keyring /tmp/kr --verify
adapter-annotations-1.0.0-javadoc.jar.asc
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg: using DSA key 87DBF05A134B145C
gpg: Good signature from "Justin Edelson (CODE SIGNING KEY)
<[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A04B C4AD 3639 6AD5 A52C 8FE1 87DB F05A 134B 145C
{code}
was (Author: bdelacretaz):
Not sure if that's what you are asking, but the following works for me: first
failing, then importing a key from that KEYS file and then succeeding.
The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my
default keyring, for this example, you usually do not need them.
The "not certified with a trusted signature" bit means we don't know whether
that key actually belongs to Justin, which is the case for all keys which do
not have a web of trust connection to the key of the current user.
{code:java}
$ wget
https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar
$ wget
https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc
$ gpg --no-default-keyring --keyring /tmp/kr --verify
adapter-annotations-1.0.0-javadoc.jar.asc
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg: using DSA key 87DBF05A134B145C
gpg: Can't check signature: No public key
$ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring
--keyring /tmp/kr --import
...
gpg: Total number processed: 38
gpg: imported: 38
$ gpg --no-default-keyring --keyring /tmp/kr --verify
adapter-annotations-1.0.0-javadoc.jar.asc
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg: using DSA key 87DBF05A134B145C
gpg: Good signature from "Justin Edelson (CODE SIGNING KEY)
<[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>" [unknown]
gpg: aka "Justin Edelson <[email protected]>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A04B C4AD 3639 6AD5 A52C 8FE1 87DB F05A 134B 145C
{code}
> Add KEYS file to https://dist.apache.org/repos/dist/release/sling
> -----------------------------------------------------------------
>
> Key: SLING-9173
> URL: https://issues.apache.org/jira/browse/SLING-9173
> Project: Sling
> Issue Type: Bug
> Components: General
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
>
> The link at https://sling.apache.org/downloads.cgi to
> https://www.apache.org/dist/sling/KEYS is broken, because the KEYS file has
> been removed in 2013 from the dist directory.
> The file needs to be reestablished and
> https://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg
> need to be updated.
> Compare with the discussion at
> https://lists.apache.org/thread.html/ra6807cd9c8d7921f4441f621b43c92aa90cb0380b0190e0da1461939%40%3Cdev.sling.apache.org%3E
> It is not allowed to instead just reference the file from
> https://people.apache.org/keys/group/sling.asc, for a reasoning look at
> https://people.apache.org/keys/
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
