[jira] [Comment Edited] (MNGSITE-458) Expired signature in provided KEYS file on the download page

Mon, 13 Dec 2021 11:21:07 -0800 


    [ 
https://issues.apache.org/jira/browse/MNGSITE-458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458646#comment-17458646
 ] 

Jörn Franke edited comment on MNGSITE-458 at 12/13/21, 7:20 PM:
----------------------------------------------------------------

I have issues to verify the Maven release 3.8.4 - it seems to be signed with 
this outdated key:

[https://downloads.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz.asc]

Can you please readd a new signature with a valid key?

 

Sorry for the German text, but essentially this expired key has been used and 
it is not part of the KEYS file.
{code:java}
gpg2 --verify apache-maven-3.8.4-bin.tar.gz.asc  
gpg: die unterzeichneten Daten sind wohl in 'apache-maven-3.8.4-bin.tar.gz'

gpg: Signatur vom So 14 Nov 2021 10:18:58 CET

gpg:                mittels RSA-Schlüssel 1A2A1C94BDE89688

gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel


 {code}
 


was (Author: jornfranke):
I have issues to verify the Maven release 3.8.4 - it seems to be signed with 
this outdated key:

[https://downloads.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz.asc]

Can you please readd a new signature with a valid key?

 

> Expired signature in provided KEYS file on the download page
> ------------------------------------------------------------
>
>                 Key: MNGSITE-458
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-458
>             Project: Maven Project Web Site
>          Issue Type: Bug
>         Environment: Windows 10 21H1 (build 19043.1165)
> Powershell provided with Windows 10 (5.1 build 19041 revision 1151)
> Gpg4Win 3.1.16 (gpg (GnuPG) 2.2.28)
>            Reporter: Arnaud Dufourcq
>            Assignee: Michael Osipov
>            Priority: Major
>
> When i follow the procedure to verify the signature using the KEYS file, both 
> provided on the maven's download page::
>  * KEYS file import: gpg --import KEYS
>  * signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc 
> .\apache-maven-3.8.2-bin.tar.gz
> I've got the following message at the second step:
> "Good signature from "Michael Osipov (Java developer) <[email protected]>" 
> [expired]
> Note: This key has expired!"
> According to the same procedure: "A signature is valid, if gpg verifies the 
> .asc as a good signature, and doesn't complain about expired or revoked 
> keys", so, technically, the signature is not valid.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to