[
http://jira.codehaus.org/browse/MEV-653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=214255#action_214255
]
Dennis Lundberg commented on MEV-653:
-------------------------------------
I've talked to Anders and will try to re-sign these releases. Does the follow
process sound good?
For each artifact
# Download artifact.pom, artifact.pom.asc, artifact.pom.md5 and
artifact.pom.sha1 from Central
# Check that checksums are correct
# Check if signature is BAD, then continue
# Check out corresponding tag from Subversion
# Diff artifact.pom (from repo) to artifact.xml (from svn) and make sure they
are equal
# Sign artifact.pom
# Upload the new signature file to a Nexus staging area
# Vote?
# Release from staging area to Central
*Questions*
# How do I manually create a staging area in Nexus?
# How do I manually upload the signature files to the staging area in Nexus?
# Do we need to vote on the new signature files?
# Will the normal "release from staging" procedure work, even though we are
overwriting files that are already in Central
# What do we do with *.asc.md5 and *.asc.sha1 files? I'd really like to remove
them from Central, but don't know if that will work.
> Invalid signatures at central
> -----------------------------
>
> Key: MEV-653
> URL: http://jira.codehaus.org/browse/MEV-653
> Project: Maven Evangelism
> Issue Type: Bug
> Reporter: Anders Hammar
> Assignee: Dennis Lundberg
>
> The signatures for these poms are invalid. This causes issues when setting up
> environments that verify the signatures and is not good as all Apache
> artifacts is supposed to be signed as I understand it. This pom is used as a
> parent by some artifacts which many Maven plugins use. Here's an example:
> maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has
> maven:2.0.6 as parent.
> I asked Jason van Zyl about this as it is (supposedly) he who signed and he
> says he lost that key and revoked it. Hence the signature should fail.
> However, the weird thing is that org.apache.maven:maven-script:2.0.6 was
> signed with the same key about the same time (part of the same release?) and
> that signature is reported ok.
> I'd happily work with you to solve this. There are possibly more artifacts
> with invalid signatures. However, I have to admit that I am no pgp expert.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
