[
https://issues.apache.org/jira/browse/CLOUDSTACK-9070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15009119#comment-15009119
]
John Kinsella commented on CLOUDSTACK-9070:
-------------------------------------------
Udo - thanks for pointing this out. The release was signed by Rohit Yadiv, but
it looks like his public key is not in
http://www.apache.org/dist/cloudstack/KEYS.
I think it's just a simple mistake, not that there's a security risk.
Will see if we can get this straightened out fairly soon. Assigning over to
Rohit...
> 4.5.x source downloads from apache.org fail gpg integrity test
> --------------------------------------------------------------
>
> Key: CLOUDSTACK-9070
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9070
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Install and Setup
> Affects Versions: 4.5.1, 4.5.2
> Reporter: Udo Rader
>
> as described in
> http://markmail.org/message/37udf7djizul5xuf
> the currently available source downloads fail the gpg integrity check because
> the key used to sign the packages is missing from
> http://www.apache.org/dist/cloudstack/KEYS
> -------CUT-----
> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
> 0EE3D884
> gpg: Can't check signature: public key not found
> -------CUT-----
> applies to 4.5.1 and 4.5.2 at least.
> At least to me this makes the integrity of the source downloads dubious ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
