[
https://issues.apache.org/jira/browse/SLING-8029?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16655246#comment-16655246
]
Konrad Windszus commented on SLING-8029:
----------------------------------------
I think the only trustful source for public keys is
[https://people.apache.org/keys/group/sling.asc] as that is filled from public
keys entered via [https://id.apache.org|https://id.apache.org/] (protected with
ASF login).
[~henzlerg] Is it possible to only consider those public keys as source?
> Improve check_staged_release.sh to automatically receive the relevant gpg key
> -----------------------------------------------------------------------------
>
> Key: SLING-8029
> URL: https://issues.apache.org/jira/browse/SLING-8029
> Project: Sling
> Issue Type: Task
> Reporter: Georg Henzler
> Assignee: Georg Henzler
> Priority: Major
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> When trying to validate the recent release for "Apache Sling Form Based
> Authentication Handler 1.0.12, Apache Sling Starter Content 1.0.2", I
> encountered the following problem:
> {code}
> $ sh check_staged_release.sh 1995 /tmp/sling-staging
> ################################################################################
> DOWNLOAD STAGED REPOSITORY
>
> ################################################################################
> 2018-10-16 15:22:42
> URL:https://repository.apache.org/content/repositories/orgapachesling-1995/org/apache/sling/
> [1711] -> "/tmp/sling-staging/1995/org/apache/sling/index.html.tmp" [1]
> 2018-10-16 15:22:44
> URL:https://repository.apache.org/content/repositories/orgapachesling-1995/org/apache/sling/org.apache.sling.auth.form/
> [2554] ->
> "/tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/index.html.tmp"
> [1]
> 2018-10-16 15:22:45
> URL:https://repository.apache.org/content/repositories/orgapachesling-1995/org/apache/sling/org.apache.sling.starter.content/
> [2588] ->
> "/tmp/sling-staging/1995/org/apache/sling/org.apache.sling.starter.content/index.html.tmp"
> [1]
> .....
> .....
> FINISHED --2018-10-16 15:23:34--
> Total wall clock time: 52s
> Downloaded: 47 files, 579K in 0.5s (1.25 MB/s)
> ################################################################################
> CHECK SIGNATURES AND DIGESTS
>
> ################################################################################
> /tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/maven-metadata.xml
> gpg: ----
> md5 : GOOD (f165e0092858ee6f6b2301e0d17b1bf3)
> sha1 : GOOD (2625d5c75b4b4efd0c43258a6c0dfeef3049d6f1)
> /tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/1.0.12/org.apache.sling.auth.form-1.0.12.jar
> gpg: BAD!!!!!!!!
> md5 : GOOD (101ab3cee4ba891e9c6441e55a1166a0)
> sha1 : GOOD (e1e9a32459688ff2e5d9fb6effc561eba708334d)
> /tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/1.0.12/org.apache.sling.auth.form-1.0.12-sources.jar
> gpg: BAD!!!!!!!!
> md5 : GOOD (b8c81df2190741f3b0af50db369fa397)
> sha1 : GOOD (6cd5ca4fb9ca64dd363846513502716d7aa8f0ae)
> /tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/1.0.12/org.apache.sling.auth.form-1.0.12-javadoc.jar
> .....
> .....
> ################################################################################
> {code}
> Taking out the piping to /dev/null in { gpg --verify $f.asc 2>/dev/null}} I
> got the root cause:
> {code}
> md5 : GOOD (21db726f5e7241cf619ca1ccb2105ab8)
> sha1 : GOOD (003bedc98bde6c4673241413c8cbe4e910364be3)
> /tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/1.0.12/org.apache.sling.auth.form-1.0.12.pom
> gpg: assuming signed data in
> '/tmp/sling-staging/1995/org/apache/sling/org.apache.sling.auth.form/1.0.12/org.apache.sling.auth.form-1.0.12.pom'
> gpg: Signature made Tue Oct 16 08:57:50 2018 EDT
> gpg: using RSA key 0A665C4670B478BF12235CCD339508654F63EC54
> gpg: Can't check signature: No public key
> gpg: BAD!!!!!!!!
> {code}
> Now the key can be imported using {{gpg --keyserver pool.sks-keyservers.net
> --recv-keys <key>}}. This should happen automatically.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
