[ https://issues.apache.org/jira/browse/CLOUDSTACK-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15009119#comment-15009119 ]
John Kinsella commented on CLOUDSTACK-9070: ------------------------------------------- Udo - thanks for pointing this out. The release was signed by Rohit Yadiv, but it looks like his public key is not in http://www.apache.org/dist/cloudstack/KEYS. I think it's just a simple mistake, not that there's a security risk. Will see if we can get this straightened out fairly soon. Assigning over to Rohit... > 4.5.x source downloads from apache.org fail gpg integrity test > -------------------------------------------------------------- > > Key: CLOUDSTACK-9070 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9070 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Install and Setup > Affects Versions: 4.5.1, 4.5.2 > Reporter: Udo Rader > > as described in > http://markmail.org/message/37udf7djizul5xuf > the currently available source downloads fail the gpg integrity check because > the key used to sign the packages is missing from > http://www.apache.org/dist/cloudstack/KEYS > -------CUT----- > [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc > gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2' > gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID > 0EE3D884 > gpg: Can't check signature: public key not found > -------CUT----- > applies to 4.5.1 and 4.5.2 at least. > At least to me this makes the integrity of the source downloads dubious ... -- This message was sent by Atlassian JIRA (v6.3.4#6332)