You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Wendy Smoak <ws...@gmail.com> on 2010/01/27 15:50:47 UTC
Fwd: Maven central has corrupted artifact org.apache.xbean:xbean-finder-shaded:jar:3.6
The message below was posted on the Maven Users list. I confirmed
that the checksum from [1] doesn't match, and then tried to verify the
gpg signature:
imbrium:Downloads wsmoak$ gpg -v xbean-finder-shaded-3.6.jar.asc
gpg: armor header: Version: GnuPG v1.4.7 (Darwin)
gpg: assuming signed data in `xbean-finder-shaded-3.6.jar'
gpg: Signature made Fri Sep 11 14:26:53 2009 MST using DSA key ID 56F3E01B
gpg: Can't check signature: public key not found
I have imported http://www.apache.org/dist/geronimo/KEYS and I also
searched http://pgp.mit.edu/ without finding it.
Can the owner of 56F3E01B / release manager for 3.6 please update the
KEYS file, or let me know where to find it?
[1] http://repo2.maven.org/maven2/org/apache/xbean/xbean-finder-shaded/3.6/
Thanks,
--
Wendy
---------- Forwarded message ----------
From: Markku Saarela <ma...@iki.fi>
Date: Wed, Jan 27, 2010 at 7:16 AM
Subject: Maven central has corrupted artifact
org.apache.xbean:xbean-finder-shaded:jar:3.6
To: Maven Users List <us...@maven.apache.org>
Hi,
org.apache.xbean:xbean-finder-shaded:jar:3.6 artifact MD5 checksum
does not match, so our Artifactory reject it's download.
So where can i get original jar file?
rgds,
Markku
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Maven central has corrupted artifact org.apache.xbean:xbean-finder-shaded:jar:3.6
Posted by Kevan Miller <ke...@gmail.com>.
Hi Wendy,
Thanks for the note.
On Jan 27, 2010, at 9:50 AM, Wendy Smoak wrote:
> The message below was posted on the Maven Users list. I confirmed
> that the checksum from [1] doesn't match, and then tried to verify the
> gpg signature:
>
> imbrium:Downloads wsmoak$ gpg -v xbean-finder-shaded-3.6.jar.asc
> gpg: armor header: Version: GnuPG v1.4.7 (Darwin)
> gpg: assuming signed data in `xbean-finder-shaded-3.6.jar'
> gpg: Signature made Fri Sep 11 14:26:53 2009 MST using DSA key ID 56F3E01B
> gpg: Can't check signature: public key not found
>
> I have imported http://www.apache.org/dist/geronimo/KEYS and I also
> searched http://pgp.mit.edu/ without finding it.
>
> Can the owner of 56F3E01B / release manager for 3.6 please update the
> KEYS file, or let me know where to find it?
The signature verifies as signed by David Jencks. And I see his key id in our KEYS file. Can you please re-verify?
I do see an error in the MD5 checksum. Pretty sure this occurred because maven 2.2 was used to perform the release -- we ran into this problem with another release (where we detected the problem). Seems we missed the problem in this xbean release.
--kevan