[ https://issues.apache.org/jira/browse/SLING-9173?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415401#comment-17415401 ]
Bertrand Delacretaz edited comment on SLING-9173 at 9/15/21, 9:28 AM: ---------------------------------------------------------------------- Not sure if that's what you are asking, but the following works for me: first failing, then importing a key from that KEYS file and then succeeding. The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my default keyring, for this example, you usually do not need them. The "not certified with a trusted signature" bit means we don't know whether that key actually belongs to Justin, which is the case for all keys which do not have a web of trust connection to the key of the current user. But GPG did verify that the signature matches the jar file. {code:java} $ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar $ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc $ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar' gpg: Signature made Thu Jan 12 17:53:23 2012 CET gpg: using DSA key 87DBF05A134B145C gpg: Can't check signature: No public key $ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring --keyring /tmp/kr --import ... gpg: Total number processed: 38 gpg: imported: 38 $ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar' gpg: Signature made Thu Jan 12 17:53:23 2012 CET gpg: using DSA key 87DBF05A134B145C gpg: Good signature from "Justin Edelson (CODE SIGNING KEY) <jus...@apache.org>" [unknown] gpg: aka "Justin Edelson <jus...@helemus.com>" [unknown] gpg: aka "Justin Edelson <jus...@justinedelson.com>" [unknown] gpg: aka "Justin Edelson <justin.edel...@mtvstaff.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A04B C4AD 3639 6AD5 A52C 8FE1 87DB F05A 134B 145C {code} was (Author: bdelacretaz): Not sure if that's what you are asking, but the following works for me: first failing, then importing a key from that KEYS file and then succeeding. The {{--no-default-keyring --keyring /tmp/kr}} options are meant to ignore my default keyring, for this example, you usually do not need them. The "not certified with a trusted signature" bit means we don't know whether that key actually belongs to Justin, which is the case for all keys which do not have a web of trust connection to the key of the current user. {code:java} $ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar $ wget https://dist.apache.org/repos/dist/release/sling/adapter-annotations-1.0.0-javadoc.jar.asc $ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar' gpg: Signature made Thu Jan 12 17:53:23 2012 CET gpg: using DSA key 87DBF05A134B145C gpg: Can't check signature: No public key $ curl -s https://downloads.apache.org/sling/KEYS | gpg --no-default-keyring --keyring /tmp/kr --import ... gpg: Total number processed: 38 gpg: imported: 38 $ gpg --no-default-keyring --keyring /tmp/kr --verify adapter-annotations-1.0.0-javadoc.jar.asc gpg: assuming signed data in 'adapter-annotations-1.0.0-javadoc.jar' gpg: Signature made Thu Jan 12 17:53:23 2012 CET gpg: using DSA key 87DBF05A134B145C gpg: Good signature from "Justin Edelson (CODE SIGNING KEY) <jus...@apache.org>" [unknown] gpg: aka "Justin Edelson <jus...@helemus.com>" [unknown] gpg: aka "Justin Edelson <jus...@justinedelson.com>" [unknown] gpg: aka "Justin Edelson <justin.edel...@mtvstaff.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A04B C4AD 3639 6AD5 A52C 8FE1 87DB F05A 134B 145C {code} > Add KEYS file to https://dist.apache.org/repos/dist/release/sling > ----------------------------------------------------------------- > > Key: SLING-9173 > URL: https://issues.apache.org/jira/browse/SLING-9173 > Project: Sling > Issue Type: Bug > Components: General > Reporter: Konrad Windszus > Assignee: Konrad Windszus > Priority: Major > > The link at https://sling.apache.org/downloads.cgi to > https://www.apache.org/dist/sling/KEYS is broken, because the KEYS file has > been removed in 2013 from the dist directory. > The file needs to be reestablished and > https://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg > need to be updated. > Compare with the discussion at > https://lists.apache.org/thread.html/ra6807cd9c8d7921f4441f621b43c92aa90cb0380b0190e0da1461939%40%3Cdev.sling.apache.org%3E > It is not allowed to instead just reference the file from > https://people.apache.org/keys/group/sling.asc, for a reasoning look at > https://people.apache.org/keys/ -- This message was sent by Atlassian Jira (v8.3.4#803005)