You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Andreas Schaefer <sc...@me.com.INVALID> on 2023/03/30 16:20:10 UTC
Release Apache Sling GraphQL Core 0.0.18
Hi
I created a new release of GraphQL Core v 0.0.18 and put it up to a vote but so far nobody responded.
This is an important release for AEM to fix a security issue in graphql-java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734
Thanks - Andy
Re: Release Apache Sling GraphQL Core 0.0.18
Posted by Andreas Schaefer <sc...@me.com.INVALID>.
Hi
After some back and forth I figured out:
- Maven was using a different GPG Key
- My Apache GPG Key had a sub key which might have caused issues
I verified that when I signed a maven file that the .asc file has the right fingerprint (gpg <file path>).
So I redid the release and verified on my laptop that the signature was good. Hope that works now.
- Andy
> On Mar 31, 2023, at 7:42 AM, Radu Cotescu <ra...@apache.org> wrote:
>
> Hi Andy,
>
>> On 31 Mar 2023, at 11:06, Stefan Seifert <St...@diva-e.com.INVALID> wrote:
>>
>> i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.
>
> Same issue like Stefan and I’m using the Committer CLI tool [2] to verify releases. This always downloads the KEYS file before verifying. Here’s the output:
>
>> Signature org.apache.sling.graphql.core-0.0.18-javadoc.jar.asc was not generated with any of the known keys.
>
>
> Therefore I guess you need to cancel this release as well. I could start the release for you, if you want, until you can figure out what went wrong with your GPG setup. Just let me know (either by replying here or by actually cancelling the previous release threads).
>
> Thanks,
> Radu
>
> [2] - https://github.com/apache/sling-org-apache-sling-committer-cli
Re: Release Apache Sling GraphQL Core 0.0.18
Posted by Radu Cotescu <ra...@apache.org>.
Hi Andy,
> On 31 Mar 2023, at 11:06, Stefan Seifert <St...@diva-e.com.INVALID> wrote:
>
> i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.
Same issue like Stefan and I’m using the Committer CLI tool [2] to verify releases. This always downloads the KEYS file before verifying. Here’s the output:
> Signature org.apache.sling.graphql.core-0.0.18-javadoc.jar.asc was not generated with any of the known keys.
Therefore I guess you need to cancel this release as well. I could start the release for you, if you want, until you can figure out what went wrong with your GPG setup. Just let me know (either by replying here or by actually cancelling the previous release threads).
Thanks,
Radu
[2] - https://github.com/apache/sling-org-apache-sling-committer-cli
Re: Release Apache Sling GraphQL Core 0.0.18
Posted by Robert Munteanu <ro...@apache.org>.
Hi,
On Fri, 2023-03-31 at 09:06 +0000, Stefan Seifert wrote:
> hello andreas.
>
> i tried multiple times yesterday and today to validate the new
> release, but the GPG validation is still failing for me, although
> i've downloaded the updated KEYS [1] file in the same way it worked
> for all the other keys.
>
> would be good if others can try it as well.
Same issue here.
$ gpg --verify /tmp/sling-
staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org.
apache.sling.graphql.core-0.0.18-sources.jar.asc
gpg: assuming signed data in '/tmp/sling-
staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org.
apache.sling.graphql.core-0.0.18-sources.jar'
gpg: Signature made Tue 28 Mar 2023 09:00:10 PM CEST
gpg: using EDDSA key
945906263A8BB1688AE5EB471E4FD64F2A8C0106
gpg: Can't check signature: No public key
However, the signature present in the public KEYS file seems to be
different (I'm not a GPG expert).
gpg: key F2EB5CFC00FCB034: public key "Andreas Schaefer (CODE SIGNING
KEY) <an...@apache.org>" imported
Thanks,
Robert
>
> stefan
>
>
> [1] https://dist.apache.org/repos/dist/release/sling/KEYS
>
> > -----Original Message-----
> > From: Andreas Schaefer <sc...@me.com.INVALID>
> > Sent: Thursday, March 30, 2023 6:20 PM
> > To: dev <de...@sling.apache.org>
> > Subject: Release Apache Sling GraphQL Core 0.0.18
> >
> > Hi
> >
> > I created a new release of GraphQL Core v 0.0.18 and put it up to a
> > vote
> > but so far nobody responded.
> >
> > This is an important release for AEM to fix a security issue in
> > graphql-
> > java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734
> >
> > Thanks - Andy
RE: Release Apache Sling GraphQL Core 0.0.18
Posted by Stefan Seifert <St...@diva-e.com.INVALID>.
hello andreas.
i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.
would be good if others can try it as well.
stefan
[1] https://dist.apache.org/repos/dist/release/sling/KEYS
> -----Original Message-----
> From: Andreas Schaefer <sc...@me.com.INVALID>
> Sent: Thursday, March 30, 2023 6:20 PM
> To: dev <de...@sling.apache.org>
> Subject: Release Apache Sling GraphQL Core 0.0.18
>
> Hi
>
> I created a new release of GraphQL Core v 0.0.18 and put it up to a vote
> but so far nobody responded.
>
> This is an important release for AEM to fix a security issue in graphql-
> java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734
>
> Thanks - Andy