[jira] Commented: (MEV-653) Invalid signatures at central

Fri, 12 Mar 2010 06:30:48 -0800 

    [ 
http://jira.codehaus.org/browse/MEV-653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=213663#action_213663
 ] 

Anders Hammar commented on MEV-653:
-----------------------------------

Brett and Wendy,

thanks for looking at this. I have no problem verifying the deployed poms wioth 
the ones in svn. The problem is though that doing this locally for one 
company's use isn't good enough I think. I currently have two customers that 
want to verify the signatures.

Would it be possible (out of a technical perspective) to replace the signatures 
on central? I guess this could be done for the poms that are possible to verify 
without replacing them. The jars would be more difficult to do this for...

So, I'm looking for a long term solution for everyone, not just for one 
specific customer.

> Invalid signatures at central
> -----------------------------
>
>                 Key: MEV-653
>                 URL: http://jira.codehaus.org/browse/MEV-653
>             Project: Maven Evangelism
>          Issue Type: Bug
>            Reporter: Anders Hammar
>
> The signatures for these poms are invalid. This causes issues when setting up 
> environments that verify the signatures and is not good as all Apache 
> artifacts is supposed to be signed as I understand it. This pom is used as a 
> parent by some artifacts which many Maven plugins use. Here's an example:
> maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has 
> maven:2.0.6 as parent.
> I asked Jason van Zyl about this as it is (supposedly) he who signed and he 
> says he lost that key and revoked it. Hence the signature should fail. 
> However, the weird thing is that org.apache.maven:maven-script:2.0.6 was 
> signed with the same key about the same time (part of the same release?) and 
> that signature is reported ok.
> I'd happily work with you to solve this. There are possibly more artifacts 
> with invalid signatures. However, I have to admit that I am no pgp expert.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to