You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Baiyang Li (Jira)" <ji...@apache.org> on 2022/06/03 21:19:00 UTC

[jira] [Created] (MNGSITE-485) Expired signature in provided KEYS file on the download page

Baiyang Li created MNGSITE-485:
----------------------------------

             Summary: Expired signature in provided KEYS file on the download page
                 Key: MNGSITE-485
                 URL: https://issues.apache.org/jira/browse/MNGSITE-485
             Project: Maven Project Web Site
          Issue Type: Bug
            Reporter: Baiyang Li


Hey,

I met the same expired signature issue described in this close issue.

When i follow the procedure to verify the signature using the KEYS file, both provided on the maven's download page::
 * KEYS file import: gpg --import KEYS
 * signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc .\apache-maven-3.8.2-bin.tar.gz

I've got the following message at the second step:

gpg: Good signature from "Michael Osipov (Java developer) <19...@gmx.net>" [expired]
gpg:                 aka "Michael Osipov <mi...@apache.org>" [expired]
gpg: Note: This key has expired!

According to the same procedure: "A signature is valid, if gpg verifies the .asc as a good signature, and doesn't complain about expired or revoked keys", so, technically, the signature is not valid.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)