Release Apache Sling GraphQL Core 0.0.18

[Andreas Schaefer <sc...@me.com.INVALID>]

Hi

I created a new release of GraphQL Core v 0.0.18 and put it up to a vote but so far nobody responded.

This is an important release for AEM to fix a security issue in graphql-java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734

Thanks - Andy

Re: Release Apache Sling GraphQL Core 0.0.18

[Andreas Schaefer <sc...@me.com.INVALID>]

Hi

After some back and forth I figured out:

- Maven was using a different GPG Key
- My Apache GPG Key had a sub key which might have caused issues

I verified that when I signed a maven file that the .asc file has the right fingerprint (gpg <file path>).

So I redid the release and verified on my laptop that the signature was good. Hope that works now.

- Andy

> On Mar 31, 2023, at 7:42 AM, Radu Cotescu <ra...@apache.org> wrote:
> 
> Hi Andy,
> 
>> On 31 Mar 2023, at 11:06, Stefan Seifert <St...@diva-e.com.INVALID> wrote:
>> 
>> i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.
> 
> Same issue like Stefan and I’m using the Committer CLI tool [2] to verify releases. This always downloads the KEYS file before verifying. Here’s the output:
> 
>> Signature org.apache.sling.graphql.core-0.0.18-javadoc.jar.asc was not generated with any of the known keys.
> 
> 
> Therefore I guess you need to cancel this release as well. I could start the release for you, if you want, until you can figure out what went wrong with your GPG setup. Just let me know (either by replying here or by actually cancelling the previous release threads).
> 
> Thanks,
> Radu
> 
> [2] - https://github.com/apache/sling-org-apache-sling-committer-cli

Re: Release Apache Sling GraphQL Core 0.0.18

[Radu Cotescu <ra...@apache.org>]

Hi Andy,

> On 31 Mar 2023, at 11:06, Stefan Seifert <St...@diva-e.com.INVALID> wrote:
> 
>  i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.

Same issue like Stefan and I’m using the Committer CLI tool [2] to verify releases. This always downloads the KEYS file before verifying. Here’s the output:

> Signature org.apache.sling.graphql.core-0.0.18-javadoc.jar.asc was not generated with any of the known keys.


Therefore I guess you need to cancel this release as well. I could start the release for you, if you want, until you can figure out what went wrong with your GPG setup. Just let me know (either by replying here or by actually cancelling the previous release threads).

Thanks,
Radu

[2] - https://github.com/apache/sling-org-apache-sling-committer-cli

Re: Release Apache Sling GraphQL Core 0.0.18

[Robert Munteanu <ro...@apache.org>]

Hi,

On Fri, 2023-03-31 at 09:06 +0000, Stefan Seifert wrote:
> hello andreas.
> 
> i tried multiple times yesterday and today to validate the new
> release, but the GPG validation is still failing for me, although
> i've downloaded the updated KEYS [1] file in the same way it worked
> for all the other keys.
> 
> would be good if others can try it as well.

Same issue here.

$ gpg --verify /tmp/sling-
staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org.
apache.sling.graphql.core-0.0.18-sources.jar.asc
gpg: assuming signed data in '/tmp/sling-
staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org.
apache.sling.graphql.core-0.0.18-sources.jar'
gpg: Signature made Tue 28 Mar 2023 09:00:10 PM CEST
gpg:                using EDDSA key
945906263A8BB1688AE5EB471E4FD64F2A8C0106
gpg: Can't check signature: No public key

However, the signature present in the public KEYS file seems to be
different (I'm not a GPG expert).

gpg: key F2EB5CFC00FCB034: public key "Andreas Schaefer (CODE SIGNING
KEY) <an...@apache.org>" imported

Thanks,
Robert

> 
> stefan
> 
> 
> [1] https://dist.apache.org/repos/dist/release/sling/KEYS
> 
> > -----Original Message-----
> > From: Andreas Schaefer <sc...@me.com.INVALID>
> > Sent: Thursday, March 30, 2023 6:20 PM
> > To: dev <de...@sling.apache.org>
> > Subject: Release Apache Sling GraphQL Core 0.0.18
> > 
> > Hi
> > 
> > I created a new release of GraphQL Core v 0.0.18 and put it up to a
> > vote
> > but so far nobody responded.
> > 
> > This is an important release for AEM to fix a security issue in
> > graphql-
> > java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734
> > 
> > Thanks - Andy

RE: Release Apache Sling GraphQL Core 0.0.18

[Stefan Seifert <St...@diva-e.com.INVALID>]

hello andreas.

i tried multiple times yesterday and today to validate the new release, but the GPG validation is still failing for me, although i've downloaded the updated KEYS [1] file in the same way it worked for all the other keys.

would be good if others can try it as well.

stefan


[1] https://dist.apache.org/repos/dist/release/sling/KEYS

> -----Original Message-----
> From: Andreas Schaefer <sc...@me.com.INVALID>
> Sent: Thursday, March 30, 2023 6:20 PM
> To: dev <de...@sling.apache.org>
> Subject: Release Apache Sling GraphQL Core 0.0.18
> 
> Hi
> 
> I created a new release of GraphQL Core v 0.0.18 and put it up to a vote
> but so far nobody responded.
> 
> This is an important release for AEM to fix a security issue in graphql-
> java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734
> 
> Thanks - Andy