Hi Gary,
My Xalan code signing key, is available within the file
https://github.com/apache/xalan-java/blob/xalan-j_2_7_1_maint/KEYS.
And the following command, works for me,
gpg --verify xalan-j_2_7_3-src.zip.asc xalan-j_2_7_3-src.zip
gpg: Signature made 16-10-2022 06:49:16 India Standard Time
gpg: using RSA key 4D8FB572FB6ADCFD69CBFE0D7B2586A6B5E25C3D
gpg: Good signature from "Mukul Gandhi (CODE SIGNING KEY)
<muk...@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4D8F B572 FB6A DCFD 69CB FE0D 7B25 86A6 B5E2 5C3D
I hope that, you could use the above steps, to verify the provided
.asc files on XalanJ 2.7.3 RC5 distribution files. Please let us know,
whether this works or not.
If you wish, we could release, the new XalanJ 2.7.3 RC, that shall use
BCEL 6.6.1 whenever its released.
On Sat, Oct 29, 2022 at 9:47 PM Gary Gregory <garydgreg...@gmail.com> wrote:
>
> FYI: I'm also in the process to release BCEL 6.6.1 to fix a regression.
>
> Gary
>
> On Sat, Oct 29, 2022 at 10:40 AM Gary D. Gregory <ggreg...@apache.org> wrote:
> >
> > I cannot validate the ASC file, this must be fixed:
> >
> > gpg --verify xalan-j_2_7_3-src.zip.asc
> > gpg: assuming signed data in 'xalan-j_2_7_3-src.zip'
> > gpg: Signature made 15-Oct-22 09:19:16 PM Eastern Daylight Time
> > gpg: using RSA key 4D8FB572FB6ADCFD69CBFE0D7B2586A6B5E25C3D
> > gpg: Can't check signature: No public key
> >
> > When I look in the Xalan KEYS file, I do not see any entries that look like
> > you:
> >
> > gpg --import KEYS-xalan.txt
> > gpg: key 32EC175930A21D55: 9 signatures not checked due to missing keys
> > gpg: key 32EC175930A21D55: public key "Shane Curcuru <curc...@apache.org>"
> > imported
> > gpg: key 19B9C18B6442C3DC: public key "Lotusxsl Team
> > <lotusxsl_t...@lotus.com>" imported
> > gpg: key 4243DB39C1A25EE6: public key "Scott Boag <scott_b...@lotus.com>"
> > imported
> > gpg: key DECE22B6C1C57D2F: public key "Myriam Midy <myriam_m...@lotus.com>"
> > imported
> > gpg: key B2CDEDACBEE860DE: public key "Joseph Kesselman
> > <joseph_kessel...@lotus.com>" imported
> > gpg: key 4CD3752B1AFFC3FE: public key "Joseph Kesselman
> > <jkess...@apache.org>" imported
> > gpg: key 9586DDC11AAC221B: public key "Joseph Kesselman
> > <joseph_kessel...@lotus.com>" imported
> > gpg: key 0CBFC7805040E0E4: public key "Sarah McNamara
> > <mcnam...@ca.ibm.com>" imported
> > gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
> > gpg: (use option "--allow-weak-key-signatures" to override)
> > gpg: key 0687164E5E14E1D2: 2 bad signatures
> > gpg: key 0687164E5E14E1D2: public key "Ilene Seelemann <il...@ca.ibm.com>"
> > imported
> > gpg: key AB6F4EA955DEED55: public key "Henry Zongaro <zong...@ca.ibm.com>"
> > imported
> > gpg: key 49017F3C3B47DEFD: public key "Brian James Minchau
> > <minc...@ca.ibm.com>" imported
> > gpg: key B5C693D25D9C0094: public key "Brian James Minchau (IBM Toronto
> > Lab) <minc...@ca.ibm.com>" imported
> > gpg: key 49017F3C3B47DEFD: "Brian James Minchau <minc...@ca.ibm.com>" not
> > changed
> > gpg: key 86FDC7E2A11262CB: "Gary David Gregory (Code signing key)
> > <ggreg...@apache.org>" not changed
> > gpg: Total number processed: 14
> > gpg: imported: 12
> > gpg: unchanged: 2
> > gpg: marginals needed: 3 completes needed: 1 trust model: pgp
> > gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
> >
> > TY for your patience ;-)
> > Gary
--
Regards,
Mukul Gandhi
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org
