infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Created] (INFRA-13620) Nexus sometimes fails GPG check
Date Mon, 06 Mar 2017 22:51:32 GMT
Christopher Tubbs created INFRA-13620:
-----------------------------------------

             Summary: Nexus sometimes fails GPG check
                 Key: INFRA-13620
                 URL: https://issues.apache.org/jira/browse/INFRA-13620
             Project: Infrastructure
          Issue Type: Bug
          Components: Nexus
            Reporter: Christopher Tubbs


When attempting to close the staging repository in Nexus, orgapacheaccumulo-1064, the close
failed the signature validation check, because it could not retrieve keys from various keyservers.

This was probably a temporary failure, nad the staging repository has since been closed.

The strange thing was that the orgapacheaccumulo-1063 staging repository did not seem to have
any failures closing.

This got me thinking... why does Nexus need to check various keyservers on the internet at
all? ASF pretty much already runs one here: https://people.apache.org/keys/committer/

Is this an upstream rule imposed by Sonatype, or is this something we can work around with
a check against our own published keys (either the referenced people.apache.org page, or the
concatenation of all projects' KEYS files).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message