Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9C4454756 for ; Fri, 13 May 2011 07:39:29 +0000 (UTC) Received: (qmail 27709 invoked by uid 500); 13 May 2011 07:39:28 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 27539 invoked by uid 500); 13 May 2011 07:39:28 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 27511 invoked by uid 99); 13 May 2011 07:39:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 May 2011 07:39:27 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 May 2011 07:39:26 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 8938C888B8 for ; Fri, 13 May 2011 07:38:47 +0000 (UTC) Date: Fri, 13 May 2011 07:38:47 +0000 (UTC) From: "Torsten Curdt (JIRA)" To: issues@commons.apache.org Message-ID: <1283299363.9280.1305272327559.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Resolved] (JCI-63) Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/JCI-63?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Torsten Curdt resolved JCI-63. ------------------------------ Resolution: Fixed Assignee: Torsten Curdt > Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file > -------------------------------------------------------------------------- > > Key: JCI-63 > URL: https://issues.apache.org/jira/browse/JCI-63 > Project: Commons JCI > Issue Type: Bug > Components: site > Affects Versions: 1.0 > Environment: Tested on Windows for the .zip downloads. > Reporter: J Bohm > Assignee: Torsten Curdt > > The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by public key 7C200941, which is not in the KEYS file listing authorized download signatures. This means that either security has been compromised and the downloaded files are fakes or (more likely) someone messed up and signed the JCI release files with the wrong key. > In either case this means that there is no currently available JCI 1.0 release (unless users ignore your own security warning to always verify downloads). > I suggest that the genuine 1.0 release files be signed with an authorized key already listed in the KEYS file, or the relevant key be added to the KEYS file on the commons site. > The bug may or may not affect the .tar.gz.asc files. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira