I figured out what was wrong. During the release process, GPG signing happened before jarsigner happened.
jarsigner inserts the signature into the war file, which changes the war. So the signature became invalid. In 2.0 release, jarsigner somehow run before gpg, so it produced the correct signature. I don't know how to force this ordering to Maven. I'll ask around. On Friday, April 22, 2016 at 3:03:08 PM UTC-7, Daniel Beck wrote: > > > > On 22.04.2016, at 17:02, Steven Clark <stevendpcl...@gmail.com> wrote: > > > > Is anyone else aware that the GPG signatures seem to be faulty on the > repo? Or am I not verifying them correctly? > > You're right. Something's wrong with KK's machine doing the signing (his > local Maven repo is affected as well). I'm filing INFRA issues so we get > this fixed. > > Note that `jarsigner --verify` still works, so there's still a code > integrity check you can do. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7e89469f-cfb7-4fb1-ad3b-08142a0cb298%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
