You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by "Ward, Evan" <Ev...@nrl.navy.mil.INVALID> on 2020/02/19 16:04:57 UTC
Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz
Marbaise trusted?
Hi,
I have been attempting to verify the signatures on maven plugins using
the instructions on the downloads page, e.g. [1]. Several plugins have
been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer? If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?
This issue applies to at least the install plugin version 2.5.2 and the
deploy plugin version 2.8.2.
Best Regards,
Evan
[1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi
[2] https://www.apache.org/dist/maven/KEYS
--
Evan Ward
Aerospace Engineer, Astrodynamics and Navigation Section
U.S. Naval Research Laboratory
T 202.279.4365
www.nrl.navy.mil
RE: [maven] Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?
Posted by Jason Pyeron <jp...@pdinc.us>.
> -----Original Message-----
> From: Karl Heinz Marbaise
> Sent: Wednesday, February 19, 2020 1:07 PM
>
> Hi,
>
> On 19.02.20 17:04, Ward, Evan wrote:
> > Hi,
> >
> > I have been attempting to verify the signatures on maven plugins using
> > the instructions on the downloads page, e.g. [1]. Several plugins have
> > been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
<snip/>
> > If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this
> specific key is not trusted?
>
> What do you mean exactly by "not trusted" ? ...You are checking via gpg
> --verify ?
I think he meant that it is not included in the Apache Maven "Authorized" signing keys list found at:
<snip/>
> > [2] https://www.apache.org/dist/maven/KEYS
--
Jason Pyeron | Architect
PD Inc |
10 w 24th St |
Baltimore, MD |
.mil: jason.j.pyeron.ctr@mail.mil
.com: jpyeron@pdinc.us
tel : 202-741-9397
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz
Marbaise trusted?
Posted by "Ward, Evan" <Ev...@nrl.navy.mil.INVALID>.
Hi Karl,
On 2020/02/19 18:06:46, Karl Heinz Marbaise <k....@gmx.de> wrote:
> Hi,>
>
> On 19.02.20 17:04, Ward, Evan wrote:>
> > Hi,>
> >>
> > I have been attempting to verify the signatures on maven plugins using>
> > the instructions on the downloads page, e.g. [1]. Several plugins have>
> > been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which>
> > nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer?>
>
> Yes it does.>
>
> https://maven.apache.org/team.html#khmarbaise>
Great! Can you put it in KEYS? According to the documentation on your downloads page the KEYS file contains all keys trusted to release maven plugins. It does not include your key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A. That is why I questioned whether there are trust issues concerning that particular key.
>
>
>
>
> > If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?>
>
> What do you mean exactly by "not trusted" ? ...You are checking via gpg>
> --verify ?>
By "not trusted" I mean not in the KEYS file, which is how Apache conveys that certain keys are trusted to make releases on behalf of the maven project.
Best Regards,
Evan
>
>
> Kind regards>
> Karl Heinz Marbaise>
>
> >>
> > This issue applies to at least the install plugin version 2.5.2 and the>
> > deploy plugin version 2.8.2.>
> >>
> > Best Regards,>
> > Evan>
> >>
> >>
> > [1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi>
> > [2] https://www.apache.org/dist/maven/KEYS>
> >>
> >>
>
>
> --------------------------------------------------------------------->
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org>
> For additional commands, e-mail: users-help@maven.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz
Marbaise trusted?
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi,
On 19.02.20 17:04, Ward, Evan wrote:
> Hi,
>
> I have been attempting to verify the signatures on maven plugins using
> the instructions on the downloads page, e.g. [1]. Several plugins have
> been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
> nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer?
Yes it does.
https://maven.apache.org/team.html#khmarbaise
> If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?
What do you mean exactly by "not trusted" ? ...You are checking via gpg
--verify ?
Kind regards
Karl Heinz Marbaise
>
> This issue applies to at least the install plugin version 2.5.2 and the
> deploy plugin version 2.8.2.
>
> Best Regards,
> Evan
>
>
> [1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi
> [2] https://www.apache.org/dist/maven/KEYS
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org