You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by Tobias Bocanegra <tr...@adobe.com> on 2020/01/10 00:00:50 UTC
check-release.sh bug (was: [VOTE] Release Apache Jackrabbit Filevault
3.4.2 and Filevault Package Maven Plugin 1.1.0)
Hi,
Then a problem with the script itself:
[INFO] 3. Verify checksums and signatures
[INFO]
[INFO] Verifying jackrabbit-filevault-3.4.2-src.zip...
gpg: assuming signed data in './filevault/3.4.2/jackrabbit-filevault-3.4.2-src.zip'
gpg: Signature made Wed Jan 8 18:03:46 2020 JST
gpg: using RSA key D7742D58455ECC7C
gpg: Good signature from "Konrad Windszus <kw...@apache.org>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B91A B7D2 121D C6B0 A61A A182 D774 2D58 455E CC7C
[INFO] OK: jackrabbit-filevault-3.4.2-src.zip.asc
How do you usually sign keys?
I added mine to https://dist.apache.org/repos/dist/release/jackrabbit/KEYS, is there anything more to do? I thought this would be enough for verification that the key belongs to me. Are the steps from https://jackrabbit.apache.org/jcr/creating-releases.html#Appendix_A:_Create_and_add_your_key_to_the_Jackrabbit_KEYS_file not enough? I am wondering why this hasn't been an issue with the last release...
So, although the verification failed, the script reports OK (same for sha1).
Note, after importing your key, the verification succeeds.
I don't think this is a problem on your side, but I didn't have your key in my keyring when executing the script:
gpg: Good signature from "Konrad Windszus <kw...@apache.org>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
I would have expected the script to fail.... But maybe this is not a problem.
Regards, toby