[jira] [Commented] (JCI-63) Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file

["Torsten Curdt (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/JCI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13032874#comment-13032874 ] 

Torsten Curdt commented on JCI-63:
----------------------------------

it is included in the central KEYS file so all is good now

https://people.apache.org/keys/group/commons.asc

> Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file
> --------------------------------------------------------------------------
>
>                 Key: JCI-63
>                 URL: https://issues.apache.org/jira/browse/JCI-63
>             Project: Commons JCI
>          Issue Type: Bug
>          Components: site
>    Affects Versions: 1.0
>         Environment: Tested on Windows for the .zip downloads.
>            Reporter: J Bohm
>
> The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by public key 7C200941, which is not in the KEYS file listing authorized download signatures.  This means that either security has been compromised and the downloaded files are fakes or (more likely) someone messed up and signed the JCI release files with the wrong key.
> In either case this means that there is no currently available JCI 1.0 release (unless users ignore your own security warning to always verify downloads).
> I suggest that the genuine 1.0 release files be signed with an authorized key already listed in the KEYS file, or the relevant key be added to the KEYS file on the commons site.
> The bug may or may not affect the .tar.gz.asc files.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira