Per Cederqvist created SOLR-14527:
-------------------------------------
Summary: The 8.5.1 release can't be verified using PGP
Key: SOLR-14527
URL: https://issues.apache.org/jira/browse/SOLR-14527
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: website
Affects Versions: 8.5.1
Reporter: Per Cederqvist
The [https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz.asc]
signature of the
[https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz] file is made
by the following key:
pub rsa4096 2019-07-10 [SC]
E58A6F4D5B2B48AC66D5E53BD4F181881A42F9E6
uid [ unknown] Ignacio Vera (CODE SIGNING KEY) <[email protected]>
sub rsa4096 2019-07-10 [E]
However, that key is not included in
[https://archive.apache.org/dist/lucene/solr/KEYS,] so there is no way for me
to verify that the file is authentic. I could download the key from a
keyserver, but there are no signatures on the key, so I'm left with no way to
verify that the 8.5.1 distribution is legitimate.
I'm assuming this is just an omission, and that [~ivera] simply forgot to add
the key to the KEYS file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
