Hi Robert, It turned out that I did not have my key registered via id.apache.org. Other Apache projects that I work with use a KEYS file so I did not do this before.
I've added my fingerprint there now, so it should appear on sling.asc some time soon. Best regards, David On 7 May 2018 at 10:56, Robert Munteanu <romb...@apache.org> wrote: > Hi David, > > On Sat, 2018-05-05 at 20:50 +0100, dav...@apache.org wrote: > > You can use this UNIX script to download the release and verify the > > signatures: > > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blo > > b;f=check_staged_release.sh;hb=HEAD > > Signatures don't check out for me. I've tried manually verifying > > $ gpg --verify /tmp/sling- > staging/1899/org/apache/sling/org.apache.sling.feature/0.1.0/org.apache > .sling.feature-0.1.0.jar.asc > gpg: assuming signed data in '/tmp/sling- > staging/1899/org/apache/sling/org.apache.sling.feature/0.1.0/org.apache > .sling.feature-0.1.0.jar' > gpg: Signature made Sat 05 May 2018 10:08:32 PM EEST > gpg: using RSA key DDFD4F61F24F0D9F > gpg: Can't check signature: No public key > > I've re-imported the keys from [1], just to be sure, but there is > nothing there matching your ASF ID. > > Robert > > > [1]: https://people.apache.org/keys/group/sling.asc >