commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Torsten Curdt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCI-63) Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file
Date Fri, 13 May 2011 07:38:47 GMT

    [ https://issues.apache.org/jira/browse/JCI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13032874#comment-13032874
] 

Torsten Curdt commented on JCI-63:
----------------------------------

it is included in the central KEYS file so all is good now

https://people.apache.org/keys/group/commons.asc

> Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file
> --------------------------------------------------------------------------
>
>                 Key: JCI-63
>                 URL: https://issues.apache.org/jira/browse/JCI-63
>             Project: Commons JCI
>          Issue Type: Bug
>          Components: site
>    Affects Versions: 1.0
>         Environment: Tested on Windows for the .zip downloads.
>            Reporter: J Bohm
>
> The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by public key
7C200941, which is not in the KEYS file listing authorized download signatures.  This means
that either security has been compromised and the downloaded files are fakes or (more likely)
someone messed up and signed the JCI release files with the wrong key.
> In either case this means that there is no currently available JCI 1.0 release (unless
users ignore your own security warning to always verify downloads).
> I suggest that the genuine 1.0 release files be signed with an authorized key already
listed in the KEYS file, or the relevant key be added to the KEYS file on the commons site.
> The bug may or may not affect the .tar.gz.asc files.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message