sob., 22 sie 2020 o 02:07 Tatu Saloranta <t...@fasterxml.com> napisał(a):
> On Fri, Aug 21, 2020 at 3:06 PM Slawomir Jaranowski > <s.jaranow...@gmail.com> wrote: > > > > > > pt., 21 sie 2020 o 22:50 Tatu Saloranta <tsalora...@gmail.com> > napisał(a): > >> > >> On Fri, Aug 21, 2020 at 1:45 PM Slawomir Jaranowski < > s.jaranow...@gmail.com> wrote: > >>> > >>> The latest release of jackson artifact is signed by pgp key which is > strange for me, because doesn't have uid in key. > >>> > >>> > https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > >>> > >>> Please confirm that this key belong to someone how has privilege to > release new version of project > >> > >> > >> > >> Yes, this is the gpg key I generated after earlier expired by > 2020-07-25. Not sure why Brew-installated gnupg created something without > uid, I just used defaults suggested. > >> > >>> > >>> > >>> It is difficult to verify signature, eg: > >>> > >>> gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > >>> gpg: key 8D7F1BEC1E2ECAE7: no user ID > >>> gpg: Total number processed: 1 > >>> > >>> gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc > >>> gpg: assuming signed data in > '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar' > >>> gpg: Signature made Sun Aug 2 20:36:50 2020 CEST > >>> gpg: using RSA key > 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 > >>> gpg: Can't check signature: No public key > >>> > >>> *************************************** > >>> > >>> Another case: jackson-databind-2.11.0.jar - has bad signature ... it > can looks like someone change content of jackson-databind-2.11.0.jar > >>> > >>> gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc > >>> gpg: assuming signed data in > '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar' > >>> gpg: Signature made Sun Apr 26 02:16:05 2020 CEST > >>> gpg: using RSA key > 6214760097DC5CFAD0175AC2C9FBAA83A8753994 > >>> gpg: BAD signature from "Tatu Saloranta (cowtowncoder) < > tatu.salora...@iki.fi>" [expired] > >> > >> > >> I am not sure why you think there is something wrong with that key: > perhaps gpg messages are bit misleading here. > >> While the key is now expired, it was valid at the time of signing. Key > expiration is defined at creation > >> and is immutable; this for security reasons (so that even if one > accidentally exposes key, it will not be valid for use forever). > >> At least that is how I understand above. > > > > > > Expired key hasn't impact on verification. > > > > pom, has correct signature > > > > gpg --verify > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom.asc > > gpg: assuming signed data in > '....m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom' > > gpg: Signature made Sun Apr 26 02:16:06 2020 CEST > > gpg: using RSA key > 6214760097DC5CFAD0175AC2C9FBAA83A8753994 > > gpg: Good signature from "Tatu Saloranta (cowtowncoder) < > tatu.salora...@iki.fi>" [expired] > > gpg: Note: This key has expired! > > Primary key fingerprint: 6214 7600 97DC 5CFA D017 5AC2 C9FB AA83 A875 > 3994 > > Ah, I see. Yes, I misread what you said and assumed you were referring > to expired key. > > If I remember correctly, Sonatype Nexus was having serious performance > issue at the time when 2.11.0 was released and (I think) > managed to deploy partial release somehow. I tried to make a new > release which was (somewhat correctly) blocked by Nexus. > I worked with Sonatype support people to try to get a working version > published, but I think they may have copied over bad mix > of artifacts in which signature file for jar was not from same release > set as jar itself. > > I tried to find the Jira issue since I think I had to file one -- this > to make sure I my recollection with incident is related to problem you > see > -- but could not quite locate it (see https://issues.sonatype.org/). > > At this point I would just suggest avoiding that version: 2.11.2 is > already out and should not suffer from the same problem. > > As to 2.11.0 problem itself: only Sonatype could help with the > official artifact, but I suspect that even if that was rectified (by > building from 2.12.0 release tag in git repo, which is easy enough) > there is the problem of Maven repository caching, propagation to > various secondary repos etc. > Thanks for your clarification. I redownload artifacts and signature for Maven Central and signature is OK for jackson-databind-2.11.0.jar Probably was some problem during the first download. -- Sławomir Jaranowski -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAGjJkv1q4%3DzG4wbRR7Kv2167%3D3jgqy10D%2BHuTDPONYh6yHdtTw%40mail.gmail.com.
