Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file
--------------------------------------------------------------------------
Key: JCI-63
URL: https://issues.apache.org/jira/browse/JCI-63
Project: Commons JCI
Issue Type: Bug
Components: site
Affects Versions: 1.0
Environment: Tested on Windows for the .zip downloads.
Reporter: J Bohm
The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by
public key 7C200941, which is not in the KEYS file listing authorized download
signatures. This means that either security has been compromised and the
downloaded files are fakes or (more likely) someone messed up and signed the
JCI release files with the wrong key.
In either case this means that there is no currently available JCI 1.0 release
(unless users ignore your own security warning to always verify downloads).
I suggest that the genuine 1.0 release files be signed with an authorized key
already listed in the KEYS file, or the relevant key be added to the KEYS file
on the commons site.
The bug may or may not affect the .tar.gz.asc files.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
