geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <kevan.mil...@gmail.com>
Subject Re: Maven central has corrupted artifact org.apache.xbean:xbean-finder-shaded:jar:3.6
Date Wed, 27 Jan 2010 16:57:35 GMT
Hi Wendy,
Thanks for the note.

On Jan 27, 2010, at 9:50 AM, Wendy Smoak wrote:

> The message below was posted on the Maven Users list.  I confirmed
> that the checksum from [1] doesn't match, and then tried to verify the
> gpg signature:
> 
> imbrium:Downloads wsmoak$ gpg -v xbean-finder-shaded-3.6.jar.asc
> gpg: armor header: Version: GnuPG v1.4.7 (Darwin)
> gpg: assuming signed data in `xbean-finder-shaded-3.6.jar'
> gpg: Signature made Fri Sep 11 14:26:53 2009 MST using DSA key ID 56F3E01B
> gpg: Can't check signature: public key not found
> 
> I have imported http://www.apache.org/dist/geronimo/KEYS and I also
> searched http://pgp.mit.edu/ without finding it.
> 
> Can the owner of 56F3E01B / release manager for 3.6 please update the
> KEYS file, or let me know where to find it?

The signature verifies as signed by David Jencks. And I see his key id in our KEYS file. Can
you please re-verify?

I do see an error in the MD5 checksum. Pretty sure this occurred because maven 2.2 was used
to perform the release -- we ran into this problem with another release (where we detected
the problem). Seems we missed the problem in this xbean release.

--kevan
Mime
View raw message