Baiyang Li created MNGSITE-485:
----------------------------------
Summary: Expired signature in provided KEYS file on the download
page
Key: MNGSITE-485
URL: https://issues.apache.org/jira/browse/MNGSITE-485
Project: Maven Project Web Site
Issue Type: Bug
Reporter: Baiyang Li
Hey,
I met the same expired signature issue described in this close issue.
When i follow the procedure to verify the signature using the KEYS file, both
provided on the maven's download page::
* KEYS file import: gpg --import KEYS
* signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc
.\apache-maven-3.8.2-bin.tar.gz
I've got the following message at the second step:
gpg: Good signature from "Michael Osipov (Java developer) <[email protected]>"
[expired]
gpg: aka "Michael Osipov <[email protected]>" [expired]
gpg: Note: This key has expired!
According to the same procedure: "A signature is valid, if gpg verifies the
.asc as a good signature, and doesn't complain about expired or revoked keys",
so, technically, the signature is not valid.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
