BTW, https://dlcdn.apache.org/xalan/xalan-j/KEYS is the file users will import based our site's download page.
Gary On Sat, Oct 29, 2022 at 12:37 PM Gary Gregory <garydgreg...@gmail.com> wrote: > That's not where it's supposed to be. It _should_ be in > https://dlcdn.apache.org/xalan/xalan-j/KEYS > > We should not have KEYS files in github, that makes no sense to me. > > Gary > > On Sat, Oct 29, 2022 at 12:30 PM Mukul Gandhi <muk...@apache.org> wrote: > >> Hi Gary, >> My Xalan code signing key, is available within the file >> https://github.com/apache/xalan-java/blob/xalan-j_2_7_1_maint/KEYS. >> >> And the following command, works for me, >> >> gpg --verify xalan-j_2_7_3-src.zip.asc xalan-j_2_7_3-src.zip >> >> gpg: Signature made 16-10-2022 06:49:16 India Standard Time >> gpg: using RSA key 4D8FB572FB6ADCFD69CBFE0D7B2586A6B5E25C3D >> gpg: Good signature from "Mukul Gandhi (CODE SIGNING KEY) >> <muk...@apache.org>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 4D8F B572 FB6A DCFD 69CB FE0D 7B25 86A6 B5E2 >> 5C3D >> >> I hope that, you could use the above steps, to verify the provided >> .asc files on XalanJ 2.7.3 RC5 distribution files. Please let us know, >> whether this works or not. >> >> If you wish, we could release, the new XalanJ 2.7.3 RC, that shall use >> BCEL 6.6.1 whenever its released. >> >> On Sat, Oct 29, 2022 at 9:47 PM Gary Gregory <garydgreg...@gmail.com> >> wrote: >> > >> > FYI: I'm also in the process to release BCEL 6.6.1 to fix a regression. >> > >> > Gary >> > >> > On Sat, Oct 29, 2022 at 10:40 AM Gary D. Gregory <ggreg...@apache.org> >> wrote: >> > > >> > > I cannot validate the ASC file, this must be fixed: >> > > >> > > gpg --verify xalan-j_2_7_3-src.zip.asc >> > > gpg: assuming signed data in 'xalan-j_2_7_3-src.zip' >> > > gpg: Signature made 15-Oct-22 09:19:16 PM Eastern Daylight Time >> > > gpg: using RSA key >> 4D8FB572FB6ADCFD69CBFE0D7B2586A6B5E25C3D >> > > gpg: Can't check signature: No public key >> > > >> > > When I look in the Xalan KEYS file, I do not see any entries that >> look like you: >> > > >> > > gpg --import KEYS-xalan.txt >> > > gpg: key 32EC175930A21D55: 9 signatures not checked due to missing >> keys >> > > gpg: key 32EC175930A21D55: public key "Shane Curcuru < >> curc...@apache.org>" imported >> > > gpg: key 19B9C18B6442C3DC: public key "Lotusxsl Team < >> lotusxsl_t...@lotus.com>" imported >> > > gpg: key 4243DB39C1A25EE6: public key "Scott Boag < >> scott_b...@lotus.com>" imported >> > > gpg: key DECE22B6C1C57D2F: public key "Myriam Midy < >> myriam_m...@lotus.com>" imported >> > > gpg: key B2CDEDACBEE860DE: public key "Joseph Kesselman < >> joseph_kessel...@lotus.com>" imported >> > > gpg: key 4CD3752B1AFFC3FE: public key "Joseph Kesselman < >> jkess...@apache.org>" imported >> > > gpg: key 9586DDC11AAC221B: public key "Joseph Kesselman < >> joseph_kessel...@lotus.com>" imported >> > > gpg: key 0CBFC7805040E0E4: public key "Sarah McNamara < >> mcnam...@ca.ibm.com>" imported >> > > gpg: Note: third-party key signatures using the SHA1 algorithm are >> rejected >> > > gpg: (use option "--allow-weak-key-signatures" to override) >> > > gpg: key 0687164E5E14E1D2: 2 bad signatures >> > > gpg: key 0687164E5E14E1D2: public key "Ilene Seelemann < >> il...@ca.ibm.com>" imported >> > > gpg: key AB6F4EA955DEED55: public key "Henry Zongaro < >> zong...@ca.ibm.com>" imported >> > > gpg: key 49017F3C3B47DEFD: public key "Brian James Minchau < >> minc...@ca.ibm.com>" imported >> > > gpg: key B5C693D25D9C0094: public key "Brian James Minchau (IBM >> Toronto Lab) <minc...@ca.ibm.com>" imported >> > > gpg: key 49017F3C3B47DEFD: "Brian James Minchau <minc...@ca.ibm.com>" >> not changed >> > > gpg: key 86FDC7E2A11262CB: "Gary David Gregory (Code signing key) < >> ggreg...@apache.org>" not changed >> > > gpg: Total number processed: 14 >> > > gpg: imported: 12 >> > > gpg: unchanged: 2 >> > > gpg: marginals needed: 3 completes needed: 1 trust model: pgp >> > > gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u >> > > >> > > TY for your patience ;-) >> > > Gary >> >> >> -- >> Regards, >> Mukul Gandhi >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org >> For additional commands, e-mail: dev-h...@xalan.apache.org >> >>
