www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Erat (JIRA)" <j...@apache.org>
Subject [jira] [Created] (INFRA-10040) Signatures are created using the private key, not the public one as described in the documentation
Date Thu, 23 Jul 2015 21:33:04 GMT
Jens Erat created INFRA-10040:
---------------------------------

             Summary: Signatures are created using the private key, not the public one as
described in the documentation
                 Key: INFRA-10040
                 URL: https://issues.apache.org/jira/browse/INFRA-10040
             Project: Infrastructure
          Issue Type: Bug
          Components: Documentation
            Reporter: Jens Erat
            Priority: Trivial


I hope I found the right place to file this issue; otherwise bear with me, I have few insight
into the Apache world.

As originally [reported by @tonix on Stack Overflow](http://stackoverflow.com/q/31596663/695343),
there is a problem with the wording in the Verifying Signatures documentation.

http://www.apache.org/dev/release-signing#verifying-signature

In the paragraph on "What Does Verifying A Signature Mean?", there is written:

> The signature file is a digest of the original file signed by a **public key** which
attests to the digest's authenticity.

But signatures are not issued using the public key (which could've been generated by everybody),
but using the _private_ key. The public key therefor can be used to _verify_  the signature
was issued by the private key. The correct sentence would be:

> The signature file is a digest of the original file signed by a **private key** which
attests to the digest's authenticity.

I haven't read through the rest of the lengthy document yet, but I'd guess this is just a
minor oversight, at least what I've read was fine otherwise.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message