чт, 23 апр. 2020 г. в 21:18, Mark Thomas <ma...@apache.org>: > > On 23/04/2020 18:42, Tianon Gravi wrote: > > Hi! > > > > I'm downloading 10.0.0-M4 from the download page[1] and was hoping to > > be able to use PGP to verify the artifacts (as in other versions), and > > it seems the link from that page[2] is a 404? > > > > [1]: https://tomcat.apache.org/download-10.cgi > > [2]: > > https://downloads.apache.org/tomcat/tomcat-10/v10.0.0-M4/bin/apache-tomcat-10.0.0-M4.tar.gz.asc > > > > I've checked a couple other download mirrors and archive.apache.org, > > and it appears that M3 *did* include a signature file for > > "apache-tomcat-10.0.0-M3.tar.gz" (but interestingly, M1 did not > > include one for "apache-tomcat-10.0.0-M1.tar.gz") so perhaps this is > > just a pipeline hiccup / minor oversight? > > Thanks for the heads up. > > That part of the release process is fully automated and it includes > signature generation. > > There have been a couple of glitches lately. I'm not sure what is going > on. I'll try and watch the console for the next set of builds more > carefully. > > I still have the original build outputs locally so I'll generate any > missing signatures and get them uploaded.
The *.tar.gz and *.zip files are also published to the Maven repository (as the org.apache.tomcat:tomcat artifact), and they have the signatures. I have a copy of Maven staging repository from the time of release vote. So I verified that those signatures match the files in the release and uploaded them to dist.a.o. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
