You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Sebb (Jira)" <de...@myfaces.apache.org> on 2021/05/16 15:46:00 UTC

[jira] [Created] (MYFACES-4401) Download page gpg example needs second parameter

Sebb created MYFACES-4401:
-----------------------------

             Summary: Download page gpg example needs second parameter
                 Key: MYFACES-4401
                 URL: https://issues.apache.org/jira/browse/MYFACES-4401
             Project: MyFaces Core
          Issue Type: Bug
            Reporter: Sebb


It is important that the file being checked is also specified [1] on the gpg command line

For example:

gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc myfaces-core-X.Y.Z-bin.tar.gz

and not

gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc

If the second paramater is omitted, gpg can report success without actually checking the main artifact. This should not happen on correctly constructed ASF downloads, as we only provide detached sigs, but we should not be documenting bad practise.

[1] https://www.apache.org/info/verification.html#specify_both



--
This message was sent by Atlassian Jira
(v8.3.4#803005)