On Fri, Aug 21, 2020 at 1:45 PM Slawomir Jaranowski <s.jaranow...@gmail.com> wrote:
> The latest release of jackson artifact is signed by pgp key which is > strange for me, because doesn't have uid in key. > > > https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > > Please confirm that this key belong to someone how has privilege to > release new version of project > Yes, this is the gpg key I generated after earlier expired by 2020-07-25. Not sure why Brew-installated gnupg created something without uid, I just used defaults suggested. > > It is difficult to verify signature, eg: > > gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > gpg: key 8D7F1BEC1E2ECAE7: no user ID > gpg: Total number processed: 1 > > gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc > gpg: assuming signed data in > '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar' > gpg: Signature made Sun Aug 2 20:36:50 2020 CEST > gpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > gpg: Can't check signature: No public key > > *************************************** > > Another case: jackson-databind-2.11.0.jar - has bad signature ... it can > looks like someone change content of jackson-databind-2.11.0.jar > > gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc > gpg: assuming signed data in > '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar' > gpg: Signature made Sun Apr 26 02:16:05 2020 CEST > gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994 > gpg: BAD signature from "Tatu Saloranta (cowtowncoder) < > tatu.salora...@iki.fi>" [expired] > I am not sure why you think there is something wrong with that key: perhaps gpg messages are bit misleading here. While the key is now expired, it was valid at the time of signing. Key expiration is defined at creation and is immutable; this for security reasons (so that even if one accidentally exposes key, it will not be valid for use forever). At least that is how I understand above. So, both keys are legit. -+ Tatu +- > > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/235c792d-227f-41f8-82cd-7a6d7b713418n%40googlegroups.com > <https://groups.google.com/d/msgid/jackson-dev/235c792d-227f-41f8-82cd-7a6d7b713418n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAGrxA24g86TWoETK2d70-MQ72EoVFdxZbEiYDK7TEtgpvoH0Zw%40mail.gmail.com.
