Invalid signatures at central
-----------------------------
Key: MEV-653
URL: http://jira.codehaus.org/browse/MEV-653
Project: Maven Evangelism
Issue Type: Bug
Reporter: Anders Hammar
The signatures for these poms are invalid. This causes issues when setting up
environments that verify the signatures and is not good as all Apache artifacts
is supposed to be signed as I understand it. This pom is used as a parent by
some artifacts which many Maven plugins use. Here's an example:
maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has maven:2.0.6
as parent.
I asked Jason van Zyl about this as it is (supposedly) he who signed and he
says he lost that key and revoked it. Hence the signature should fail. However,
the weird thing is that org.apache.maven:maven-script:2.0.6 was signed with the
same key about the same time (part of the same release?) and that signature is
reported ok.
I'd happily work with you to solve this. There are possibly more artifacts with
invalid signatures. However, I have to admit that I am no pgp expert.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
