I was going through the reporter.apache.org tool and it's showing 195 release files in /dist/ as being signed with what is now an expired key. They're listed here: https://checker.apache.org/projs/aries.html
Instructions for fixing are here: https://checker.apache.org/doc/README.html#EXPKEYSIG ---- The problem can be fixed in three ways : 1. remove the parent package file from /dist/, * If the signed package is oldish, seriously consider removing it. * You are required to remove releases not currently under development ; see the release policy on when to archive releases. * On your download page, simply refer to the archived package. 2. or change the expiration date of the key, 3. or replace the signature file. ---- These are old releases, but some are still the most recent. At this point the easiest thing would be for Holly to extend the expiration date of the key. Holly ... are you able to do that please - instructions linked to from the above? Many thanks, Jeremy
