You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by jason marshall <jd...@gmail.com> on 2009/06/01 23:16:40 UTC
Can't verify 1.4.2 signature
My coworker tried to upgrade to XML Sec 1.4.2 and discovered that she
couldn't verify the ASC signature against the binaries. It appears that a
new key is being used for signing, but didn't get added to the keyring?
I was able to repro the same failure. Anybody else?
~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA key ID
A74A32FC
gpg: Can't check signature: public key not found
Thanks,
Jason
Re: Can't verify 1.4.2 signature
Posted by Sean Mullan <Se...@Sun.COM>.
Sean Mullan wrote:
> Which KEYS file are you using? Try: http://santuario.apache.org/dist/
I meant -
http://santuario.apache.org/dist/KEYS
>
> I still need to update http://www.apache.org/dist/xml/security/KEYS
>
> --Sean
>
> jason marshall wrote:
>> Did the KEYS file get updated?
>>
>> Thanks,
>> Jason
>>
>> On Tue, Jun 2, 2009 at 10:59 AM, Sean Mullan <Sean.Mullan@sun.com
>> <ma...@sun.com>> wrote:
>>
>> I signed it for the first time with my key but I thought I had
>> updated the KEYS file. I'll look into this and get back to you.
>>
>> --Sean
>>
>>
>> jason marshall wrote:
>>> As a datapoint, using the same process I am able to verify the
>>> 1.4.1 signature. Did the signing key get swapped out at some
>>> point without updating the KEYS file?
>>>
>>> Thanks,
>>> Jason
>>>
>>> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall
>>> <jdmarshall@gmail.com <ma...@gmail.com>> wrote:
>>>
>>> My coworker tried to upgrade to XML Sec 1.4.2 and discovered
>>> that she couldn't verify the ASC signature against the
>>> binaries. It appears that a new key is being used for
>>> signing, but didn't get added to the keyring?
>>>
>>> I was able to repro the same failure. Anybody else?
>>>
>>> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
>>> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
>>> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
>>> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA
>>> key ID A74A32FC
>>> gpg: Can't check signature: public key not found
>>>
>>>
>>> Thanks,
>>> Jason
>>>
>>>
>>>
>>>
>>> -- - Jason
>>
>>
>>
>>
>> --
>> - Jason
>
Re: Can't verify 1.4.2 signature
Posted by Sean Mullan <Se...@Sun.COM>.
jason marshall wrote:
> I haven't tried this out yet. I did want to point out that the
> instructions for doing the check are on
>
> http://santuario.apache.org/download.html
>
> and they point to the second location you list below.
Thanks, I fixed the link and it will be updated the next time we update the web
site.
--Sean
Re: Can't verify 1.4.2 signature
Posted by jason marshall <jd...@gmail.com>.
I haven't tried this out yet. I did want to point out that the instructions
for doing the check are on
http://santuario.apache.org/download.html
and they point to the second location you list below.
On Mon, Jun 8, 2009 at 11:43 AM, Sean Mullan <Se...@sun.com> wrote:
> Which KEYS file are you using? Try: http://santuario.apache.org/dist/
>
> I still need to update http://www.apache.org/dist/xml/security/KEYS
>
> --Sean
>
> jason marshall wrote:
>
>> Did the KEYS file get updated?
>>
>> Thanks,
>> Jason
>>
>> On Tue, Jun 2, 2009 at 10:59 AM, Sean Mullan <Sean.Mullan@sun.com<mailto:
>> Sean.Mullan@sun.com>> wrote:
>>
>> I signed it for the first time with my key but I thought I had
>> updated the KEYS file. I'll look into this and get back to you.
>>
>> --Sean
>>
>>
>> jason marshall wrote:
>>
>>> As a datapoint, using the same process I am able to verify the
>>> 1.4.1 signature. Did the signing key get swapped out at some
>>> point without updating the KEYS file?
>>>
>>> Thanks,
>>> Jason
>>>
>>> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall
>>> <jdmarshall@gmail.com <ma...@gmail.com>> wrote:
>>>
>>> My coworker tried to upgrade to XML Sec 1.4.2 and discovered
>>> that she couldn't verify the ASC signature against the
>>> binaries. It appears that a new key is being used for
>>> signing, but didn't get added to the keyring?
>>>
>>> I was able to repro the same failure. Anybody else?
>>>
>>> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
>>> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
>>> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
>>> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA
>>> key ID A74A32FC
>>> gpg: Can't check signature: public key not found
>>>
>>>
>>> Thanks,
>>> Jason
>>>
>>>
>>>
>>>
>>> -- - Jason
>>>
>>
>>
>>
>>
>> --
>> - Jason
>>
>
>
--
- Jason
Re: Can't verify 1.4.2 signature
Posted by Sean Mullan <Se...@Sun.COM>.
Which KEYS file are you using? Try: http://santuario.apache.org/dist/
I still need to update http://www.apache.org/dist/xml/security/KEYS
--Sean
jason marshall wrote:
> Did the KEYS file get updated?
>
> Thanks,
> Jason
>
> On Tue, Jun 2, 2009 at 10:59 AM, Sean Mullan <Sean.Mullan@sun.com
> <ma...@sun.com>> wrote:
>
> I signed it for the first time with my key but I thought I had
> updated the KEYS file. I'll look into this and get back to you.
>
> --Sean
>
>
> jason marshall wrote:
>> As a datapoint, using the same process I am able to verify the
>> 1.4.1 signature. Did the signing key get swapped out at some
>> point without updating the KEYS file?
>>
>> Thanks,
>> Jason
>>
>> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall
>> <jdmarshall@gmail.com <ma...@gmail.com>> wrote:
>>
>> My coworker tried to upgrade to XML Sec 1.4.2 and discovered
>> that she couldn't verify the ASC signature against the
>> binaries. It appears that a new key is being used for
>> signing, but didn't get added to the keyring?
>>
>> I was able to repro the same failure. Anybody else?
>>
>> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
>> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
>> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
>> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA
>> key ID A74A32FC
>> gpg: Can't check signature: public key not found
>>
>>
>> Thanks,
>> Jason
>>
>>
>>
>>
>> --
>> - Jason
>
>
>
>
> --
> - Jason
Re: Can't verify 1.4.2 signature
Posted by jason marshall <jd...@gmail.com>.
Did the KEYS file get updated?
Thanks,
Jason
On Tue, Jun 2, 2009 at 10:59 AM, Sean Mullan <Se...@sun.com> wrote:
> I signed it for the first time with my key but I thought I had updated the
> KEYS file. I'll look into this and get back to you.
>
> --Sean
>
>
> jason marshall wrote:
>
> As a datapoint, using the same process I am able to verify the 1.4.1
> signature. Did the signing key get swapped out at some point without
> updating the KEYS file?
>
> Thanks,
> Jason
>
> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall <jd...@gmail.com>wrote:
>
>> My coworker tried to upgrade to XML Sec 1.4.2 and discovered that she
>> couldn't verify the ASC signature against the binaries. It appears that a
>> new key is being used for signing, but didn't get added to the keyring?
>>
>> I was able to repro the same failure. Anybody else?
>>
>> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
>> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
>> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
>> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA key ID
>> A74A32FC
>> gpg: Can't check signature: public key not found
>>
>>
>> Thanks,
>> Jason
>>
>>
>
>
> --
> - Jason
>
>
>
--
- Jason
Re: Can't verify 1.4.2 signature
Posted by Sean Mullan <Se...@Sun.COM>.
I signed it for the first time with my key but I thought I had updated
the KEYS file. I'll look into this and get back to you.
--Sean
jason marshall wrote:
> As a datapoint, using the same process I am able to verify the 1.4.1
> signature. Did the signing key get swapped out at some point without
> updating the KEYS file?
>
> Thanks,
> Jason
>
> On Mon, Jun 1, 2009 at 2:16 PM, jason marshall <jdmarshall@gmail.com
> <ma...@gmail.com>> wrote:
>
> My coworker tried to upgrade to XML Sec 1.4.2 and discovered that
> she couldn't verify the ASC signature against the binaries. It
> appears that a new key is being used for signing, but didn't get
> added to the keyring?
>
> I was able to repro the same failure. Anybody else?
>
> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA key
> ID A74A32FC
> gpg: Can't check signature: public key not found
>
>
> Thanks,
> Jason
>
>
>
>
> --
> - Jason
Re: Can't verify 1.4.2 signature
Posted by jason marshall <jd...@gmail.com>.
As a datapoint, using the same process I am able to verify the 1.4.1
signature. Did the signing key get swapped out at some point without
updating the KEYS file?
Thanks,
Jason
On Mon, Jun 1, 2009 at 2:16 PM, jason marshall <jd...@gmail.com> wrote:
> My coworker tried to upgrade to XML Sec 1.4.2 and discovered that she
> couldn't verify the ASC signature against the binaries. It appears that a
> new key is being used for signing, but didn't get added to the keyring?
>
> I was able to repro the same failure. Anybody else?
>
> ~> gpg --verbose --verify xml-security-bin-1_4_2.zip.asc
> gpg: armor header: Version: GnuPG v2.0.9 (SunOS)
> gpg: assuming signed data in `xml-security-bin-1_4_2.zip'
> gpg: Signature made Mon 23 Jun 2008 01:09:20 PM PDT using DSA key ID
> A74A32FC
> gpg: Can't check signature: public key not found
>
>
> Thanks,
> Jason
>
>
--
- Jason