On Sat, Aug 22, 2020 at 3:21 AM Slawomir Jaranowski <[email protected]> wrote: > > > > sob., 22 sie 2020 o 02:07 Tatu Saloranta <[email protected]> napisał(a): >> >> On Fri, Aug 21, 2020 at 3:06 PM Slawomir Jaranowski >> <[email protected]> wrote: >> > >> > >> > pt., 21 sie 2020 o 22:50 Tatu Saloranta <[email protected]> napisał(a): >> >> >> >> On Fri, Aug 21, 2020 at 1:45 PM Slawomir Jaranowski >> >> <[email protected]> wrote: >> >>> >> >>> The latest release of jackson artifact is signed by pgp key which is >> >>> strange for me, because doesn't have uid in key. >> >>> >> >>> https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >> >>> >> >>> Please confirm that this key belong to someone how has privilege to >> >>> release new version of project >> >> >> >> >> >> >> >> Yes, this is the gpg key I generated after earlier expired by 2020-07-25. >> >> Not sure why Brew-installated gnupg created something without uid, I just >> >> used defaults suggested. >> >> >> >>> >> >>> >> >>> It is difficult to verify signature, eg: >> >>> >> >>> gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >> >>> gpg: key 8D7F1BEC1E2ECAE7: no user ID >> >>> gpg: Total number processed: 1 >> >>> >> >>> gpg --verify >> >>> ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc >> >>> gpg: assuming signed data in >> >>> '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar' >> >>> gpg: Signature made Sun Aug 2 20:36:50 2020 CEST >> >>> gpg: using RSA key >> >>> 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 >> >>> gpg: Can't check signature: No public key >> >>> >> >>> *************************************** >> >>> >> >>> Another case: jackson-databind-2.11.0.jar - has bad signature ... it can >> >>> looks like someone change content of jackson-databind-2.11.0.jar >> >>> >> >>> gpg --verify >> >>> ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc >> >>> gpg: assuming signed data in >> >>> '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar' >> >>> gpg: Signature made Sun Apr 26 02:16:05 2020 CEST >> >>> gpg: using RSA key >> >>> 6214760097DC5CFAD0175AC2C9FBAA83A8753994 >> >>> gpg: BAD signature from "Tatu Saloranta (cowtowncoder) >> >>> <[email protected]>" [expired] >> >> >> >> >> >> I am not sure why you think there is something wrong with that key: >> >> perhaps gpg messages are bit misleading here. >> >> While the key is now expired, it was valid at the time of signing. Key >> >> expiration is defined at creation >> >> and is immutable; this for security reasons (so that even if one >> >> accidentally exposes key, it will not be valid for use forever). >> >> At least that is how I understand above. >> > >> > >> > Expired key hasn't impact on verification. >> > >> > pom, has correct signature >> > >> > gpg --verify >> > ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom.asc >> > gpg: assuming signed data in >> > '....m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom' >> > gpg: Signature made Sun Apr 26 02:16:06 2020 CEST >> > gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994 >> > gpg: Good signature from "Tatu Saloranta (cowtowncoder) >> > <[email protected]>" [expired] >> > gpg: Note: This key has expired! >> > Primary key fingerprint: 6214 7600 97DC 5CFA D017 5AC2 C9FB AA83 A875 3994 >> >> Ah, I see. Yes, I misread what you said and assumed you were referring >> to expired key. >> >> If I remember correctly, Sonatype Nexus was having serious performance >> issue at the time when 2.11.0 was released and (I think) >> managed to deploy partial release somehow. I tried to make a new >> release which was (somewhat correctly) blocked by Nexus. >> I worked with Sonatype support people to try to get a working version >> published, but I think they may have copied over bad mix >> of artifacts in which signature file for jar was not from same release >> set as jar itself. >> >> I tried to find the Jira issue since I think I had to file one -- this >> to make sure I my recollection with incident is related to problem you >> see >> -- but could not quite locate it (see https://issues.sonatype.org/). >> >> At this point I would just suggest avoiding that version: 2.11.2 is >> already out and should not suffer from the same problem. >> >> As to 2.11.0 problem itself: only Sonatype could help with the >> official artifact, but I suspect that even if that was rectified (by >> building from 2.12.0 release tag in git repo, which is easy enough) >> there is the problem of Maven repository caching, propagation to >> various secondary repos etc. > > > Thanks for your clarification. > I redownload artifacts and signature for Maven Central and signature is OK > for jackson-databind-2.11.0.jar > > Probably was some problem during the first download.
Thank you for verifying and apologies for the mess. The reason I remember the incident is just that the timing was so unfortunate: right when the official 2.11.0 was released (and not during release candidates or so) :) -+ Tatu +- > > > -- > Sławomir Jaranowski > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-dev/CAGjJkv1q4%3DzG4wbRR7Kv2167%3D3jgqy10D%2BHuTDPONYh6yHdtTw%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10i0w7esjEyFpLiAi8Tbkv9qgc05cbATp%3DrxgK6QZxbrVw%40mail.gmail.com.
