This is now set up (took 2 tries). Henk says: Now, if some downloader retrieves (from a mirror) a file with
SHA1 = eefbac103d3c6cee6c8b1148797663bbdfcc6c16 then he/she can visit the checker : https://checker.apache.org/dist/verify.html ... paste in the checksum (eefbac103d3c6cee6c8b1148797663bbdfcc6c16) and click 'search'. The result-page shows that the download is an authentic ASF artifact, and the steps in the proof-chain. Cheers. -Marshall On 11/27/2017 11:36 AM, Marshall Schor wrote: > This is just FYI, no action needed :-) > > When we commit to dist.apache.org/repos/dist/release these get copied to the > Apache mirror distribution system (including the base > www.apache.org/dist/uima ) > > Henk Penning runs automatic checking software the insures things are properly > signed. > > He's augmented this recently with more automatation, which, in turn depends > on a > file to be kept in the directory www.apache.org/dist/uima/META - uima.html ( > plus an ".asc" gpg signature). > > Henk said in an email to me: > > I wonder if I can ask you to do a little experiment ... > > -- install https://checker.apache.org/META/uima.html as dist/uima/META > -- create dist/uima/META.asc with your key "cc762ffdcd04cfd6" > > It would enable checker.apache.org to show, for ever uima artifact, > a proof that the artifact is authentic. > > See for example : > > > https://checker.apache.org/sums/5d71c0133401aeb48b6e492c7650d3b3f57b18ee.html > > Hope to hear from you ; any feedback is appreciated. > > Thanks ; regards, > > Henk Penning > > I have done this to aid in his "experiment". The file uima.html and its .asc > are being kept in the uima-website project, in the directory META. The > uima-website project HOWTO file is updated with a bit of info about this, as > well. > > -Marshall > >
