Hi David, On Sat, 2018-05-05 at 20:50 +0100, dav...@apache.org wrote: > You can use this UNIX script to download the release and verify the > signatures: > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blo > b;f=check_staged_release.sh;hb=HEAD
Signatures don't check out for me. I've tried manually verifying $ gpg --verify /tmp/sling- staging/1899/org/apache/sling/org.apache.sling.feature/0.1.0/org.apache .sling.feature-0.1.0.jar.asc gpg: assuming signed data in '/tmp/sling- staging/1899/org/apache/sling/org.apache.sling.feature/0.1.0/org.apache .sling.feature-0.1.0.jar' gpg: Signature made Sat 05 May 2018 10:08:32 PM EEST gpg: using RSA key DDFD4F61F24F0D9F gpg: Can't check signature: No public key I've re-imported the keys from [1], just to be sure, but there is nothing there matching your ASF ID. Robert [1]: https://people.apache.org/keys/group/sling.asc
