[
https://issues.apache.org/jira/browse/MNGSITE-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17547920#comment-17547920
]
Michael Osipov edited comment on MNGSITE-485 at 6/4/22 5:37 PM:
----------------------------------------------------------------
Nice catch, will update next week. I roll my key every single year.
was (Author: michael-o):
Nice catch, will update this year. I roll my key every single year.
> Expired signature in provided KEYS file on the download page
> ------------------------------------------------------------
>
> Key: MNGSITE-485
> URL: https://issues.apache.org/jira/browse/MNGSITE-485
> Project: Maven Project Web Site
> Issue Type: Bug
> Reporter: Baiyang Li
> Assignee: Michael Osipov
> Priority: Major
>
> Hey,
> I met the same expired signature issue described in this close
> [issue|https://issues.apache.org/jira/browse/MNGSITE-458?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17410236#comment-17410236].
> When i follow the procedure to verify the signature using the KEYS file, both
> provided on the maven's download page::
> * KEYS file import: gpg --import KEYS
> * signature verification; gpg --verify .\apache-maven-3.8.2-bin.tar.gz.asc
> .\apache-maven-3.8.2-bin.tar.gz
> I've got the following message at the second step:
> gpg: Good signature from "Michael Osipov (Java developer)
> <[email protected]>" [expired]
> gpg: aka "Michael Osipov <[email protected]>" [expired]
> gpg: Note: This key has expired!
> According to the same procedure: "A signature is valid, if gpg verifies the
> .asc as a good signature, and doesn't complain about expired or revoked
> keys", so, technically, the signature is not valid.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
