You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Sebb (Jira)" <de...@myfaces.apache.org> on 2021/05/16 15:46:00 UTC
[jira] [Created] (MYFACES-4401) Download page gpg example needs
second parameter
Sebb created MYFACES-4401:
-----------------------------
Summary: Download page gpg example needs second parameter
Key: MYFACES-4401
URL: https://issues.apache.org/jira/browse/MYFACES-4401
Project: MyFaces Core
Issue Type: Bug
Reporter: Sebb
It is important that the file being checked is also specified [1] on the gpg command line
For example:
gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc myfaces-core-X.Y.Z-bin.tar.gz
and not
gpg --verify myfaces-core-X.Y.Z-bin.tar.gz.asc
If the second paramater is omitted, gpg can report success without actually checking the main artifact. This should not happen on correctly constructed ASF downloads, as we only provide detached sigs, but we should not be documenting bad practise.
[1] https://www.apache.org/info/verification.html#specify_both
--
This message was sent by Atlassian Jira
(v8.3.4#803005)