[jira] [Commented] (MNGSITE-485) Expired signature in provided KEYS file on the download page

Fri, 10 Jun 2022 08:23:13 -0700 


    [ 
https://issues.apache.org/jira/browse/MNGSITE-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552807#comment-17552807
 ] 

Michael Osipov commented on MNGSITE-485:
----------------------------------------

I have imported the keys, as-is. No issue with my key, then verfired:
{noformat}
mosipov@mikaw10 MINGW64 
/d/Entwicklung/Projekte/maven/target/checkout/apache-maven/target 
((maven-3.8.6))
$  gpg --verify apache-maven-3.8.6-bin.zip.asc apache-maven-3.8.6-bin.zip
gpg: Signature made Mo,  6. Jun 2022 18:39:25
gpg:                using RSA key 6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688
gpg: Good signature from "Michael Osipov (Java developer) <[email protected]>" 
[unknown]
gpg:                 aka "Michael Osipov <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6A81 4B1F 869C 2BBE AB7C  B727 1A2A 1C94 BDE8 9688
{noformat}

So the file was verfied to be done by me, no? What do you expect to see?

> Expired signature in provided KEYS file on the download page
> ------------------------------------------------------------
>
>                 Key: MNGSITE-485
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-485
>             Project: Maven Project Web Site
>          Issue Type: Bug
>            Reporter: Baiyang Li
>            Assignee: Michael Osipov
>            Priority: Major
>
> Hey,
> I met the same expired signature issue described in this close 
> [issue|https://issues.apache.org/jira/browse/MNGSITE-458?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17410236#comment-17410236].
> When i follow the procedure to verify the signature using the KEYS file, both 
> provided on the maven's download page::
>  * KEYS file import: gpg --import KEYS
>  * signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc 
> .\apache-maven-3.8.2-bin.tar.gz
> I've got the following message at the second step:
> gpg: Good signature from "Michael Osipov (Java developer) 
> <[email protected]>" [expired]
> gpg:                 aka "Michael Osipov <[email protected]>" [expired]
> gpg: Note: This key has expired!
> According to the same procedure: "A signature is valid, if gpg verifies the 
> .asc as a good signature, and doesn't complain about expired or revoked 
> keys", so, technically, the signature is not valid.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to