You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Bertrand Delacretaz (Jira)" <ji...@apache.org> on 2021/09/15 09:29:00 UTC

[jira] [Comment Edited] (SLING-9173) Add KEYS file to https://dist.apache.org/repos/dist/release/sling

    [ https://issues.apache.org/jira/browse/SLING-9173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415401#comment-17415401 ] 

Bertrand Delacretaz edited comment on SLING-9173 at 9/15/21, 9:28 AM:
----------------------------------------------------------------------

Not sure if that's what you are asking, but the following works for me: first failing, then importing a key from that KEYS file and then succeeding.

The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my default keyring, for this example, you usually do not need them.

The "not certified with a trusted signature" bit means we don't know whether that key actually belongs to Justin, which is the case for all keys which do not have a web of trust connection to the key of the current user. But GPG did verify that the signature matches the jar file.
{code:java}
$ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar
$ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc

$ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc 
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg:                using DSA key 87DBF05A134B145C
gpg: Can't check signature: No public key

$ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring --keyring /tmp/kr --import
...
gpg: Total number processed: 38
gpg:               imported: 38

$ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc 
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg:                using DSA key 87DBF05A134B145C
gpg: Good signature from "Justin Edelson (CODE SIGNING KEY) <ju...@apache.org>" [unknown]
gpg:                 aka "Justin Edelson <ju...@helemus.com>" [unknown]
gpg:                 aka "Justin Edelson <ju...@justinedelson.com>" [unknown]
gpg:                 aka "Justin Edelson <ju...@mtvstaff.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A04B C4AD 3639 6AD5 A52C  8FE1 87DB F05A 134B 145C

 {code}
 


was (Author: bdelacretaz):
Not sure if that's what you are asking, but the following works for me: first failing, then importing a key from that KEYS file and then succeeding.

The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my default keyring, for this example, you usually do not need them.

The "not certified with a trusted signature" bit means we don't know whether that key actually belongs to Justin, which is the case for all keys which do not have a web of trust connection to the key of the current user.
{code:java}
$ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar
$ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc

$ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc 
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg:                using DSA key 87DBF05A134B145C
gpg: Can't check signature: No public key

$ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring --keyring /tmp/kr --import
...
gpg: Total number processed: 38
gpg:               imported: 38

$ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc 
gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar'
gpg: Signature made Thu Jan 12 17:53:23 2012 CET
gpg:                using DSA key 87DBF05A134B145C
gpg: Good signature from "Justin Edelson (CODE SIGNING KEY) <ju...@apache.org>" [unknown]
gpg:                 aka "Justin Edelson <ju...@helemus.com>" [unknown]
gpg:                 aka "Justin Edelson <ju...@justinedelson.com>" [unknown]
gpg:                 aka "Justin Edelson <ju...@mtvstaff.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A04B C4AD 3639 6AD5 A52C  8FE1 87DB F05A 134B 145C

 {code}
 

> Add KEYS file to https://dist.apache.org/repos/dist/release/sling
> -----------------------------------------------------------------
>
>                 Key: SLING-9173
>                 URL: https://issues.apache.org/jira/browse/SLING-9173
>             Project: Sling
>          Issue Type: Bug
>          Components: General
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>
> The link at https://sling.apache.org/downloads.cgi to https://www.apache.org/dist/sling/KEYS is broken, because the KEYS file has been removed in 2013 from the dist directory.
> The file needs to be reestablished and https://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg need to be updated.
> Compare with the discussion at  https://lists.apache.org/thread.html/ra6807cd9c8d7921f4441f621b43c92aa90cb0380b0190e0da1461939%40%3Cdev.sling.apache.org%3E
> It is not allowed to instead just reference the file from https://people.apache.org/keys/group/sling.asc, for a reasoning look at https://people.apache.org/keys/



--
This message was sent by Atlassian Jira
(v8.3.4#803005)