[
https://issues.apache.org/jira/browse/JCI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12831027#action_12831027
]
Niall Pemberton commented on JCI-63:
------------------------------------
Its in here:
http://svn.apache.org/repos/asf/commons/proper/jci/trunk/KEYS.txt
needs to be added to the man keys file though
> Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file
> --------------------------------------------------------------------------
>
> Key: JCI-63
> URL: https://issues.apache.org/jira/browse/JCI-63
> Project: Commons JCI
> Issue Type: Bug
> Components: site
> Affects Versions: 1.0
> Environment: Tested on Windows for the .zip downloads.
> Reporter: J Bohm
>
> The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by
> public key 7C200941, which is not in the KEYS file listing authorized
> download signatures. This means that either security has been compromised
> and the downloaded files are fakes or (more likely) someone messed up and
> signed the JCI release files with the wrong key.
> In either case this means that there is no currently available JCI 1.0
> release (unless users ignore your own security warning to always verify
> downloads).
> I suggest that the genuine 1.0 release files be signed with an authorized key
> already listed in the KEYS file, or the relevant key be added to the KEYS
> file on the commons site.
> The bug may or may not affect the .tar.gz.asc files.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
