сб, 14 авг. 2021 г. в 00:38, Christopher Schultz <ch...@christopherschultz.net>: > > Mark, > > On 8/9/21 16:05, Mark Thomas wrote: > > The proposed Apache Tomcat 8.5.70 release is now available for voting. > > > > [...] > > > > The proposed 8.5.70 release is: > > [ ] Broken - do not release > > [X] Stable - go ahead and release as 8.5.70 > > Thanks for RM'ing. > > I won't veto the release, but it appears that you signed the (non-Maven) > release artifacts with an expired PGP key. I'm not even sure how that's > possible (GPG should refuse to do such things). Before release, I would > recommend replacing the *.asc files; the originals obviously do not need > to change. I did not check the Maven artifacts for similar issues.
Chris, Checking the files, gpg: assuming signed data in 'apache-tomcat-8.5.70.zip' gpg: Signature made Mon Aug 9 19:18:24 2021 RTZ gpg: using RSA key E4B2A4687C520E8EFEFB2777E94CA026DD51042F I have not tested the KEYS file, but I do not see such key at key servers, e,g, https://keyserver.ubuntu.com/ adding '0x' to search, i.e. 0xE4B2A4687C520E8EFEFB2777E94CA026DD51042F nor in Mark's profile at https://whimsy.apache.org/roster/committer/markt For comparison, looking at 10.1.0-M4 files, they were signed with a different key: gpg: assuming signed data in 'apache-tomcat-10.1.0-M4.zip' gpg: Signature made Tue Aug 3 21:58:07 2021 RTZ gpg: using RSA key A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 gpg: Good signature from "Mark E D Thomas <ma...@apache.org>" [unknown] and this key is present in Mark's profile and is known by the Key server. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org