openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Wed, 28 May 2008 16:37:23 GMT
Hi Wendy,

I double checked a few of the artifacts, and you're right: the  
signatures are BAD on the .jar artifacts. Interestingly, the asc  
signatures are Good on the pom files.

Henk's web site is not as alarming as I had hoped it would be. What I  
got from the page was that  
Patrick's signing key wasn't in the Apache web of trust, which isn't a  
huge problem. If the note had been "BAD signature" instead of "file/ 
sig inconsistency" it would have raised a redder flag.

The staging artifacts at

  have the same problem: the .jar.asc signatures are bad but  
the .pom.asc signatures are good.

Patrick, do you know what happened?


On May 28, 2008, at 7:45 AM, wsmoak wrote:

> Craig L Russell wrote:
>> Sounds like your info is out of date by a couple of days.
>> I signed Patrick's key a few days ago.
> (Signed keys are a good thing, though it doesn't look like that has
> propagated yet.  Not sure how that happens.)
> The main issue that Henk raised [1] is inconsistent signatures--  
> the .asc
> file does not match the .jar file for those eight artifacts.  For  
> example:
> $ gpg --verify openjpa-jdbc-1.1.0.jar.asc openjpa-jdbc-1.1.0.jar
> gpg: Signature made Tue May 20 02:22:19 2008 UTC using DSA key ID  
> 513CA0DC
> gpg: BAD signature from "Patrick Linskey (CODE SIGNING KEY)
> <>"
> It usually means the file changed after it was signed.  Given that the
> release was re-done, is it possible something happened then?  (I do  
> see the
> other vote thread now that I look, thanks for the info... Google  
> didn't send
> me an alert. :/ )
> [1]
> Thanks,
> -- 
> Wendy
> -- 
> View this message in context:
> Sent from the OpenJPA Developers mailing list archive at

Craig Russell
Architect, Sun Java Enterprise System
408 276-5638
P.S. A good JDO? O, Gasp!

View raw message