You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Arnaud Dufourcq (Jira)" <ji...@apache.org> on 2021/09/05 15:49:00 UTC

[jira] [Commented] (MNGSITE-458) Expired signature in provided KEYS file on the download page

    [ https://issues.apache.org/jira/browse/MNGSITE-458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17410190#comment-17410190 ] 

Arnaud Dufourcq commented on MNGSITE-458:
-----------------------------------------

As far as i understand, there is two issues:
 * your key is outdated on the pgp.mit.edu key server (2021-05-29)
 * your key is also outdated in the KEYS file provided on the web site (2013-12-27)

As the download page recommend to use the provided KEYS file to validate the signatures of the release bundles, it should be updated also once your key has been rotated.

If i can help for tests or something, do not hesitate to ask.

> Expired signature in provided KEYS file on the download page
> ------------------------------------------------------------
>
>                 Key: MNGSITE-458
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-458
>             Project: Maven Project Web Site
>          Issue Type: Bug
>         Environment: Windows 10 21H1 (build 19043.1165)
> Powershell provided with Windows 10 (5.1 build 19041 revision 1151)
> Gpg4Win 3.1.16 (gpg (GnuPG) 2.2.28)
>            Reporter: Arnaud Dufourcq
>            Assignee: Michael Osipov
>            Priority: Major
>
> When i follow the procedure to verify the signature using the KEYS file, both provided on the maven's download page::
>  * KEYS file import: gpg --import KEYS
>  * signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc .\apache-maven-3.8.2-bin.tar.gz
> I've got the following message at the second step:
> "Good signature from "Michael Osipov (Java developer) <19...@gmx.net>" [expired]
> Note: This key has expired!"
> According to the same procedure: "A signature is valid, if gpg verifies the .asc as a good signature, and doesn't complain about expired or revoked keys", so, technically, the signature is not valid.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)