Hello David, Thank you for the response..... I think I understand the issue......
The script parses the KEYS file as such: for key in `curl -fsSL 'https://www.apache.org/dist/tomee/KEYS' | awk -F ' = ' '$1 ~ /^ +Key fingerprint$/ { gsub(" ", "", $2); print $2 }' | sort -u`; do \ The key you used that starts with 626C does not have the line "Key fingerprint = 626C..." Your output gave me the fingerprint I needed I added it to the Dockerfile manually and it was found in the key servers. Jean-Louis is in a similar boat. His finger print is there it is missing " Key fingerprint =" in front of it. I am hoping that makes sense. Thanks, Rod. On 9/16/21, 8:48 AM, "David Blevins" <[email protected]> wrote: > On Sep 16, 2021, at 2:00 AM, Jean-Louis Monteiro <[email protected]> wrote: > > Hi all, > > Rod reported that we are missing some keys for signature checking of the > binaries. > David, yours isn't the correct one. So maybe you rotated the key to a new > one. Here's the revision where the key was added: $ svn diff -c 47730 https://dist.apache.org/repos/dist/release/tomee/KEYS Here's a script that can verify 9.0.0-M7 in a temp dir starting with an empty gpg keys file: - https://gist.github.com/dblevins/949096886b293d4aec9af3312c48b4f9 I don't recall what key server I added it to. It was whatever the Nexus install at repository.apache.org required before it would let me close the repo. If Rod has a specific keys server he likes, I'm happy to add my key there as well. I wrote a command in our release tools repo to make it easier for us to add our keys. - https://github.com/apache/tomee-release-tools/blob/master/src/main/java/org/apache/openejb/tools/release/cmd/Dist.java#L230-L248 We can expand that to also add it to a keys server. That's something you have to do to make Nexus happy anyway, so it'd be a very good addition. -David
