I haven't tried this out yet. I did want to point out that the instructions for doing the check are on
http://santuario.apache.org/download.html and they point to the second location you list below. On Mon, Jun 8, 2009 at 11:43 AM, Sean Mullan <sean.mul...@sun.com> wrote: > Which KEYS file are you using? Try: http://santuario.apache.org/dist/ > > I still need to update http://www.apache.org/dist/xml/security/KEYS > > --Sean > > jason marshall wrote: > >> Did the KEYS file get updated? >> >> Thanks, >> Jason >> >> On Tue, Jun 2, 2009 at 10:59 AM, Sean Mullan <sean.mul...@sun.com<mailto: >> sean.mul...@sun.com>> wrote: >> >> I signed it for the first time with my key but I thought I had >> updated the KEYS file. I'll look into this and get back to you. >> >> --Sean >> >> >> jason marshall wrote: >> >>> As a datapoint, using the same process I am able to verify the >>> 1.4.1 signature. Did the signing key get swapped out at some >>> point without updating the KEYS file? >>> >>> Thanks, >>> Jason >>> >>> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall >>> <jdmarsh...@gmail.com <mailto:jdmarsh...@gmail.com>> wrote: >>> >>> My coworker tried to upgrade to XML Sec 1.4.2 and discovered >>> that she couldn't verify the ASC signature against the >>> binaries. It appears that a new key is being used for >>> signing, but didn't get added to the keyring? >>> >>> I was able to repro the same failure. Anybody else? >>> >>> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc >>> gpg: armor header: Version: GnuPG v2.0.9 (SunOS) >>> gpg: assuming signed data in `xml-security-bin-1_4_2.zip' >>> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA >>> key ID A74A32FC >>> gpg: Can't check signature: public key not found >>> >>> >>> Thanks, >>> Jason >>> >>> >>> >>> >>> -- - Jason >>> >> >> >> >> >> -- >> - Jason >> > > -- - Jason
