Per Cederqvist created SOLR-14527: ------------------------------------- Summary: The 8.5.1 release can't be verified using PGP Key: SOLR-14527 URL: https://issues.apache.org/jira/browse/SOLR-14527 Project: Solr Issue Type: Bug Security Level: Public (Default Security Level. Issues are Public) Components: website Affects Versions: 8.5.1 Reporter: Per Cederqvist
The [https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz.asc] signature of the [https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz] file is made by the following key: pub rsa4096 2019-07-10 [SC] E58A6F4D5B2B48AC66D5E53BD4F181881A42F9E6 uid [ unknown] Ignacio Vera (CODE SIGNING KEY) <iv...@apache.org> sub rsa4096 2019-07-10 [E] However, that key is not included in [https://archive.apache.org/dist/lucene/solr/KEYS,] so there is no way for me to verify that the file is authentic. I could download the key from a keyserver, but there are no signatures on the key, so I'm left with no way to verify that the 8.5.1 distribution is legitimate. I'm assuming this is just an omission, and that [~ivera] simply forgot to add the key to the KEYS file. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org