[jira] [Created] (CLOUDSTACK-9070) 4.5.x source downloads from apache.org fail gpg integrity test

Udo Rader (JIRA) Tue, 17 Nov 2015 09:13:06 -0800

Udo Rader created CLOUDSTACK-9070:
-------------------------------------

             Summary: 4.5.x source downloads from apache.org fail gpg integrity 
test
                 Key: CLOUDSTACK-9070
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9070
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Install and Setup
    Affects Versions: 4.5.2, 4.5.1
            Reporter: Udo Rader



as described in 

http://markmail.org/message/37udf7djizul5xuf 

the currently available source downloads fail the gpg integrity check because 
the key used to sign the packages is missing from 
http://www.apache.org/dist/cloudstack/KEYS

-------CUT-----
[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found
-------CUT-----

applies to 4.5.1 and 4.5.2 at least. 

At least to me this makes the integrity of the source downloads dubious ...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (CLOUDSTACK-9070) 4.5.x source downloads from apache.org fail gpg integrity test

Reply via email to