Oh that's definitely a different signing key. That's supposed to make it possible for Log4j to be embedded in Java WebStart and Applet programs that all rely on code signing for general security. I believe the idea is that the code can be signed by some build server during release to prevent leaking our key.
On 29 August 2014 21:51, Ralph Goers <[email protected]> wrote: > What is the story with the ASF code signing key. Matt, I noticed that you > added Log4j 2 to the Jira issue. > > Ralph > > On Aug 29, 2014, at 7:31 PM, [email protected] wrote: > > > Note correct signing key for distribution. > > > > > > Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo > > Commit: > http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/066e1855 > > Tree: > http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/066e1855 > > Diff: > http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/066e1855 > > > > Branch: refs/heads/master > > Commit: 066e1855e7ed4a349904809f4bd866aa9ca85a2e > > Parents: a2c18b6 > > Author: Matt Sicker <[email protected]> > > Authored: Fri Aug 29 18:56:46 2014 -0500 > > Committer: Matt Sicker <[email protected]> > > Committed: Fri Aug 29 18:56:46 2014 -0500 > > > > ---------------------------------------------------------------------- > > src/site/apt/download.apt.vm | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > ---------------------------------------------------------------------- > > > > > > > http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/066e1855/src/site/apt/download.apt.vm > > ---------------------------------------------------------------------- > > diff --git a/src/site/apt/download.apt.vm b/src/site/apt/download.apt.vm > > index dea8abc..e4b2f26 100644 > > --- a/src/site/apt/download.apt.vm > > +++ b/src/site/apt/download.apt.vm > > @@ -54,7 +54,8 @@ Download Apache Log4j 2 > > % gpg --verify apache-log4j-${Log4jReleaseVersion}-bin.tar.gz.asc > > --- > > > > - Apache Log4j 2 is signed by Ralph Goers B3D8E1BA > > +~~ Apache Log4j 2 is signed by Ralph Goers B3D8E1BA > > + Apache Log4j ${Log4jReleaseVersion} is signed by Matt Sicker > (FA1C814D) > > > > Alternatively, you can verify the MD5 signature on the files. A unix > program called md5 or md5sum is included > > in many unix distributions. > > @@ -76,4 +77,4 @@ log4j-api-${Log4jReleaseVersion}.jar > > log4j-core-${Log4jReleaseVersion}.jar > > --- > > > > - You can do this from the command line or a manifest file. > > \ No newline at end of file > > + You can do this from the command line or a manifest file. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Matt Sicker <[email protected]>
