cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-9070) 4.5.x source downloads from apache.org fail gpg integrity test
Date Thu, 19 Nov 2015 17:25:11 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

John Kinsella resolved CLOUDSTACK-9070.
---------------------------------------
    Resolution: Fixed
      Assignee: John Kinsella  (was: Rohit Yadav)

Rohit added his key into the KEYS file...after importing that, I'm able to verify the release
now:

$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: Signature made Wed Aug 19 02:13:04 2015 PDT using RSA key ID 0EE3D884
gpg: Good signature from "Rohit Yadav (CODE SIGNING KEY) <bhaisaab@apache.org>”

Closing ticket.

> 4.5.x source downloads from apache.org fail gpg integrity test
> --------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9070
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9070
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Install and Setup
>    Affects Versions: 4.5.1, 4.5.2
>            Reporter: Udo Rader
>            Assignee: John Kinsella
>
> as described in 
> http://markmail.org/message/37udf7djizul5xuf 
> the currently available source downloads fail the gpg integrity check because the key
used to sign the packages is missing from 
> http://www.apache.org/dist/cloudstack/KEYS
> -------CUT-----
> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
> 0EE3D884
> gpg: Can't check signature: public key not found
> -------CUT-----
> applies to 4.5.1 and 4.5.2 at least. 
> At least to me this makes the integrity of the source downloads dubious ...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message