https://logging.apache.org/log4j/extras/download.html contains a link to a KEYS file.
While this file includes the key that the page claims was used to sign the packages (Christian Grobmeier 42196CA8), verifying the signature does not work because the packages seem to be signed by a different key: > gpg --verify apache-log4j-extras-1.2.17-bin.zip.asc gpg: Signature made Mo 14 Okt 13:47:34 2013 CEST using RSA key ID A5CC90DB gpg: Can't check signature: No public key > gpg --verify apache-log4j-extras-1.2.17-src.zip.asc gpg: Signatur vom Mo 14 Okt 13:47:34 2013 CEST mittels RSA-Schlüssel ID A5CC90DB gpg: Signatur kann nicht geprüft werden: No public key Am I doing something wrong here or should the key A5CC90DB be added to the KEYS file With kind regards Piers --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
