[
https://issues.apache.org/jira/browse/SOLR-14527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17121393#comment-17121393
]
Jan Høydahl commented on SOLR-14527:
------------------------------------
The Solr Download page
[https://lucene.apache.org/solr/downloads.html#verify-downloads] tells you to
download the KEYS file from https://downloads.apache.org/lucene/KEYS - i.e. the
top folder, not the solr sub folder, which was previously used.
I suppose we should update the README file on the archive download page and
perhaps remove that KEYS file.
> The 8.5.1 release can't be verified using PGP
> ---------------------------------------------
>
> Key: SOLR-14527
> URL: https://issues.apache.org/jira/browse/SOLR-14527
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: website
> Affects Versions: 8.5.1
> Reporter: Per Cederqvist
> Priority: Major
>
> The [https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz.asc]
> signature of the
> [https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz] file is
> made by the following key:
> pub rsa4096 2019-07-10 [SC]
> E58A6F4D5B2B48AC66D5E53BD4F181881A42F9E6
> uid [ unknown] Ignacio Vera (CODE SIGNING KEY) <iv...@apache.org>
> sub rsa4096 2019-07-10 [E]
>
> However, that key is not included in
> [https://archive.apache.org/dist/lucene/solr/KEYS,] so there is no way for me
> to verify that the file is authentic. I could download the key from a
> keyserver, but there are no signatures on the key, so I'm left with no way to
> verify that the 8.5.1 distribution is legitimate.
> I'm assuming this is just an omission, and that [~ivera] simply forgot to add
> the key to the KEYS file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
