[
https://issues.apache.org/jira/browse/CLOUDSTACK-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John Kinsella resolved CLOUDSTACK-9070.
---------------------------------------
Resolution: Fixed
Assignee: John Kinsella (was: Rohit Yadav)
Rohit added his key into the KEYS file...after importing that, I'm able to
verify the release now:
$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: Signature made Wed Aug 19 02:13:04 2015 PDT using RSA key ID 0EE3D884
gpg: Good signature from "Rohit Yadav (CODE SIGNING KEY) <[email protected]>”
Closing ticket.
> 4.5.x source downloads from apache.org fail gpg integrity test
> --------------------------------------------------------------
>
> Key: CLOUDSTACK-9070
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9070
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Install and Setup
> Affects Versions: 4.5.1, 4.5.2
> Reporter: Udo Rader
> Assignee: John Kinsella
>
> as described in
> http://markmail.org/message/37udf7djizul5xuf
> the currently available source downloads fail the gpg integrity check because
> the key used to sign the packages is missing from
> http://www.apache.org/dist/cloudstack/KEYS
> -------CUT-----
> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
> 0EE3D884
> gpg: Can't check signature: public key not found
> -------CUT-----
> applies to 4.5.1 and 4.5.2 at least.
> At least to me this makes the integrity of the source downloads dubious ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
