ghenzler commented on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring URL: https://github.com/apache/sling-tooling-release/pull/2#issuecomment-431813721 If we do not use `--auto-key-retrieve` people will have to use `--recv-keys`, but I'm not sure that really everyone would cross-check with the fingerprint in [1]... we could automate that by going back to a solution similar to 2a986a96eeda5c08 (without `--auto-key-retrieve`), but with automatically cross-checking the fingerprint of the received key with [1] (using curl to get [1] and find the downloaded key's fingerprint in that result and then only running `gpg --verify` if valid) [1] https://people.apache.org/keys/group/sling.asc
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
