You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Arnaud Dufourcq (Jira)" <ji...@apache.org> on 2021/08/30 23:30:00 UTC
[jira] [Created] (MNGSITE-458) Expired signature in provided KEYS
file on the download page
Arnaud Dufourcq created MNGSITE-458:
---------------------------------------
Summary: Expired signature in provided KEYS file on the download page
Key: MNGSITE-458
URL: https://issues.apache.org/jira/browse/MNGSITE-458
Project: Maven Project Web Site
Issue Type: Bug
Environment: Windows 10 21H1 (build 19043.1165)
Powershell provided with Windows 10 (5.1 build 19041 revision 1151)
Gpg4Win 3.1.16 (gpg (GnuPG) 2.2.28)
Reporter: Arnaud Dufourcq
When i follow the procedure to verify the signature using the KEYS file, both provided on the maven's download page::
* KEYS file import: gpg --import KEYS
* signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc .\apache-maven-3.8.2-bin.tar.gz
I've got the following message at the second step:
"Good signature from "Michael Osipov (Java developer) <19...@gmx.net>" [expired]
Note: This key has expired!"
According to the same procedure: "A signature is valid, if gpg verifies the .asc as a good signature, and doesn't complain about expired or revoked keys", so, technically, the signature is not valid.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)