Le 20/05/15 22:22, Cralle, Chris a écrit : > Hello Apache Dev, Hi, > > I am attempting to validate the apacheds rpms using the RPM Signature. But > so far, I have been unable locate a single matching public GPG key that was > used sign any of your linux rpms? > > Where/How do you build your rpms, and what key is being used to sign them.
We use an old version of Tanuki wrapper, with a maven plugin we have written, to create the packages. I'm not sure we sign the resulting package using PGP though : when I run rpm -K on the rpm, here is what I get : rpm -K ~/Downloads/apacheds-2.0.0-M20-x86_64.rpm /Users/elecharny/Downloads/apacheds-2.0.0-M20-x86_64.rpm: (sha1) dsa sha1 md5 OK OTOH, you can check the package against the md5/asc checksum which is available on http://directory.apache.org/apacheds/download/download-linux-rpm.html > > So far I have checked M20, M18, M17, they all have differnent rpm signatures. > And none of them are in the master KEYS file. Nor could I find them on the > pgp mit server. All those versions were signed by me, using this : https://pgp.mit.edu/pks/lookup?op=vindex&search=0x31474E5E7C6B7034 Not sure if this is what you are looking for...
