You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by Marshall Schor <ms...@schor.com> on 2017/11/27 16:36:42 UTC
new signature checking facility for releases in Apache mirror system
This is just FYI, no action needed :-)
When we commit to dist.apache.org/repos/dist/release these get copied to the
Apache mirror distribution system (including the base www.apache.org/dist/uima )
Henk Penning runs automatic checking software the insures things are properly
signed.
He's augmented this recently with more automatation, which, in turn depends on a
file to be kept in the directory www.apache.org/dist/uima/META - uima.html (
plus an ".asc" gpg signature).
Henk said in an email to me:
I wonder if I can ask you to do a little experiment ...
-- install https://checker.apache.org/META/uima.html as dist/uima/META
-- create dist/uima/META.asc with your key "cc762ffdcd04cfd6"
It would enable checker.apache.org to show, for ever uima artifact,
a proof that the artifact is authentic.
See for example :
https://checker.apache.org/sums/5d71c0133401aeb48b6e492c7650d3b3f57b18ee.html
Hope to hear from you ; any feedback is appreciated.
Thanks ; regards,
Henk Penning
I have done this to aid in his "experiment". The file uima.html and its .asc
are being kept in the uima-website project, in the directory META. The
uima-website project HOWTO file is updated with a bit of info about this, as well.
-Marshall
Re: new signature checking facility for releases in Apache mirror
system
Posted by Marshall Schor <ms...@schor.com>.
This is now set up (took 2 tries). Henk says:
Now, if some downloader retrieves (from a mirror) a file with
SHA1 = eefbac103d3c6cee6c8b1148797663bbdfcc6c16
then he/she can visit the checker :
https://checker.apache.org/dist/verify.html
... paste in the checksum (eefbac103d3c6cee6c8b1148797663bbdfcc6c16)
and click 'search'. The result-page shows that the download is
an authentic ASF artifact, and the steps in the proof-chain.
Cheers. -Marshall
On 11/27/2017 11:36 AM, Marshall Schor wrote:
> This is just FYI, no action needed :-)
>
> When we commit to dist.apache.org/repos/dist/release these get copied to the
> Apache mirror distribution system (including the base www.apache.org/dist/uima )
>
> Henk Penning runs automatic checking software the insures things are properly
> signed.
>
> He's augmented this recently with more automatation, which, in turn depends on a
> file to be kept in the directory www.apache.org/dist/uima/META - uima.html (
> plus an ".asc" gpg signature).
>
> Henk said in an email to me:
>
> I wonder if I can ask you to do a little experiment ...
>
> -- install https://checker.apache.org/META/uima.html as dist/uima/META
> -- create dist/uima/META.asc with your key "cc762ffdcd04cfd6"
>
> It would enable checker.apache.org to show, for ever uima artifact,
> a proof that the artifact is authentic.
>
> See for example :
>
> https://checker.apache.org/sums/5d71c0133401aeb48b6e492c7650d3b3f57b18ee.html
>
> Hope to hear from you ; any feedback is appreciated.
>
> Thanks ; regards,
>
> Henk Penning
>
> I have done this to aid in his "experiment". The file uima.html and its .asc
> are being kept in the uima-website project, in the directory META. The
> uima-website project HOWTO file is updated with a bit of info about this, as well.
>
> -Marshall
>
>