You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "KOVÁCS PÉTER (Jira)" <ji...@apache.org> on 2019/09/10 06:38:00 UTC
[jira] [Updated] (MNG-6761) 3.6.2 builds are unsigned
[ https://issues.apache.org/jira/browse/MNG-6761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
KOVÁCS PÉTER updated MNG-6761:
------------------------------
Description:
{code}
$ gpg --verify --status-fd 1 apache-maven-3.6.2-bin.zip.asc apache-maven-3.6.2-bin.zip [GNUPG:] NEWSIG
gpg: Signature made Tue Aug 27 17:10:11 2019 CEDT
gpg: using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] ERRSIG DC08637CA615D22C 1 10 00 1566918611 9 BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] NO_PUBKEY DC08637CA615D22C
gpg: Can't check signature: No public key
{code}
whereas for 3.6.1
{code}
$ gpg --verify --status-fd 1 apache-maven-3.6.1-bin.zip.asc apache-maven-3.6.1-bin.zip [GNUPG:] NEWSIG
gpg: Signature made Thu Apr 4 21:02:59 2019 CEDT
gpg: using RSA key AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] SIG_ID SPyIoMJ54Xs7p43r2ZmK3Z9ktFY 2019-04-04 1554404579
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] GOODSIG BF1518E0160788A2 Karl Heinz Marbaise (ASF Key) <kh...@apache.org>
gpg: Good signature from "Karl Heinz Marbaise (ASF Key) <kh...@apache.org>" [unknown]
[GNUPG:] VALIDSIG AE9E53FC28FF2AB1012273D0BF1518E0160788A2 2019-04-04 1554404579 0 4 0 1 10 00 AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AE9E 53FC 28FF 2AB1 0122 73D0 BF15 18E0 1607 88A2
{code}
I've tried to download from several site, all downloads have the same issue
was:
{code}
$ gpg --verify --status-fd 1 apache-maven-3.6.2-bin.zip.asc apache-maven-3.6.2-bin.zip [GNUPG:] NEWSIG
gpg: Signature made Tue Aug 27 17:10:11 2019 CEDT
gpg: using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] ERRSIG DC08637CA615D22C 1 10 00 1566918611 9 BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] NO_PUBKEY DC08637CA615D22C
gpg: Can't check signature: No public key
{code}
whereas
{code}
$ gpg --verify --status-fd 1 apache-maven-3.6.1-bin.zip.asc apache-maven-3.6.1-bin.zip [GNUPG:] NEWSIG
gpg: Signature made Thu Apr 4 21:02:59 2019 CEDT
gpg: using RSA key AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] SIG_ID SPyIoMJ54Xs7p43r2ZmK3Z9ktFY 2019-04-04 1554404579
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] GOODSIG BF1518E0160788A2 Karl Heinz Marbaise (ASF Key) <kh...@apache.org>
gpg: Good signature from "Karl Heinz Marbaise (ASF Key) <kh...@apache.org>" [unknown]
[GNUPG:] VALIDSIG AE9E53FC28FF2AB1012273D0BF1518E0160788A2 2019-04-04 1554404579 0 4 0 1 10 00 AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AE9E 53FC 28FF 2AB1 0122 73D0 BF15 18E0 1607 88A2
{code}
I've tried to download from several site, all downloads have the same issue
> 3.6.2 builds are unsigned
> -------------------------
>
> Key: MNG-6761
> URL: https://issues.apache.org/jira/browse/MNG-6761
> Project: Maven
> Issue Type: Bug
> Components: Bootstrap & Build
> Affects Versions: 3.6.2
> Environment: Windows 10
> pkovacs@DESKTOP-S24R6DS MINGW64 ~/Downloads $ gpg --version gpg (GnuPG) 2.2.16-unknown
> libgcrypt 1.8.4
> Copyright (C) 2019 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> Home: /c/Users/pkovacs/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
> Reporter: KOVÁCS PÉTER
> Priority: Major
>
> {code}
> $ gpg --verify --status-fd 1 apache-maven-3.6.2-bin.zip.asc apache-maven-3.6.2-bin.zip [GNUPG:] NEWSIG
> gpg: Signature made Tue Aug 27 17:10:11 2019 CEDT
> gpg: using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C
> [GNUPG:] ERRSIG DC08637CA615D22C 1 10 00 1566918611 9 BBE7232D7991050B54C8EA0ADC08637CA615D22C
> [GNUPG:] NO_PUBKEY DC08637CA615D22C
> gpg: Can't check signature: No public key
> {code}
>
> whereas for 3.6.1
> {code}
> $ gpg --verify --status-fd 1 apache-maven-3.6.1-bin.zip.asc apache-maven-3.6.1-bin.zip [GNUPG:] NEWSIG
> gpg: Signature made Thu Apr 4 21:02:59 2019 CEDT
> gpg: using RSA key AE9E53FC28FF2AB1012273D0BF1518E0160788A2
> [GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
> [GNUPG:] SIG_ID SPyIoMJ54Xs7p43r2ZmK3Z9ktFY 2019-04-04 1554404579
> [GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
> [GNUPG:] GOODSIG BF1518E0160788A2 Karl Heinz Marbaise (ASF Key) <kh...@apache.org>
> gpg: Good signature from "Karl Heinz Marbaise (ASF Key) <kh...@apache.org>" [unknown]
> [GNUPG:] VALIDSIG AE9E53FC28FF2AB1012273D0BF1518E0160788A2 2019-04-04 1554404579 0 4 0 1 10 00 AE9E53FC28FF2AB1012273D0BF1518E0160788A2
> [GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
> [GNUPG:] TRUST_UNDEFINED 0 pgp
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
> Primary key fingerprint: AE9E 53FC 28FF 2AB1 0122 73D0 BF15 18E0 1607 88A2
> {code}
> I've tried to download from several site, all downloads have the same issue
--
This message was sent by Atlassian Jira
(v8.3.2#803003)