On Fri, Aug 21, 2020 at 3:06 PM Slawomir Jaranowski <[email protected]> wrote: > > > pt., 21 sie 2020 o 22:50 Tatu Saloranta <[email protected]> napisał(a): >> >> On Fri, Aug 21, 2020 at 1:45 PM Slawomir Jaranowski <[email protected]> >> wrote: >>> >>> The latest release of jackson artifact is signed by pgp key which is >>> strange for me, because doesn't have uid in key. >>> >>> https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >>> >>> Please confirm that this key belong to someone how has privilege to release >>> new version of project >> >> >> >> Yes, this is the gpg key I generated after earlier expired by 2020-07-25. >> Not sure why Brew-installated gnupg created something without uid, I just >> used defaults suggested. >> >>> >>> >>> It is difficult to verify signature, eg: >>> >>> gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >>> gpg: key 8D7F1BEC1E2ECAE7: no user ID >>> gpg: Total number processed: 1 >>> >>> gpg --verify >>> ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc >>> gpg: assuming signed data in >>> '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar' >>> gpg: Signature made Sun Aug 2 20:36:50 2020 CEST >>> gpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >>> gpg: Can't check signature: No public key >>> >>> *************************************** >>> >>> Another case: jackson-databind-2.11.0.jar - has bad signature ... it can >>> looks like someone change content of jackson-databind-2.11.0.jar >>> >>> gpg --verify >>> ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc >>> gpg: assuming signed data in >>> '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar' >>> gpg: Signature made Sun Apr 26 02:16:05 2020 CEST >>> gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994 >>> gpg: BAD signature from "Tatu Saloranta (cowtowncoder) >>> <[email protected]>" [expired] >> >> >> I am not sure why you think there is something wrong with that key: perhaps >> gpg messages are bit misleading here. >> While the key is now expired, it was valid at the time of signing. Key >> expiration is defined at creation >> and is immutable; this for security reasons (so that even if one >> accidentally exposes key, it will not be valid for use forever). >> At least that is how I understand above. > > > Expired key hasn't impact on verification. > > pom, has correct signature > > gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom.asc > gpg: assuming signed data in > '....m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom' > gpg: Signature made Sun Apr 26 02:16:06 2020 CEST > gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994 > gpg: Good signature from "Tatu Saloranta (cowtowncoder) > <[email protected]>" [expired] > gpg: Note: This key has expired! > Primary key fingerprint: 6214 7600 97DC 5CFA D017 5AC2 C9FB AA83 A875 3994
Ah, I see. Yes, I misread what you said and assumed you were referring to expired key. If I remember correctly, Sonatype Nexus was having serious performance issue at the time when 2.11.0 was released and (I think) managed to deploy partial release somehow. I tried to make a new release which was (somewhat correctly) blocked by Nexus. I worked with Sonatype support people to try to get a working version published, but I think they may have copied over bad mix of artifacts in which signature file for jar was not from same release set as jar itself. I tried to find the Jira issue since I think I had to file one -- this to make sure I my recollection with incident is related to problem you see -- but could not quite locate it (see https://issues.sonatype.org/). At this point I would just suggest avoiding that version: 2.11.2 is already out and should not suffer from the same problem. As to 2.11.0 problem itself: only Sonatype could help with the official artifact, but I suspect that even if that was rectified (by building from 2.12.0 release tag in git repo, which is easy enough) there is the problem of Maven repository caching, propagation to various secondary repos etc. -+ Tatu +- > > > -- > Sławomir Jaranowski > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CAGjJkv3VCRwJfi1Tn_HUtCCPmqWk_pVXe%2BPYDCk%3Ds8ZHYj%2B%3Dcg%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10i-QMY_p3yAv86Vn9svtH2cW1%2BnvFdYvguF6c3D34a6cQ%40mail.gmail.com.
