Following the download instructions on the project's site, I have noticed that Yegor Kozlov's PGP key has been expired since June 16, 2012; http://pgp.mit.edu/pks/lookup?search=0xf5bb52cd. I have imported keys from http://archive.apache.org/dist/poi/KEYS. I can see that it's valid and I can see the chain of trust but using an expired key is bad form and probably should be remediated.
$ gpg --verify poi-bin-3.10-FINAL-20140208.tar.gz.asc gpg: Signature made Sat 01 Feb 2014 06:09:03 AM PST using DSA key ID F5BB52CD gpg: Good signature from "Yegor Kozlov <[email protected]>" gpg: aka "Yegor Kozlov <[email protected]>" gpg: aka "Yegor Kozlov <[email protected]>" gpg: Note: This key has expired! Primary key fingerprint: 7D77 0C77 6CE7 754E E6AF 23AA 6934 0A02 F5BB 52CD -Gary
