https://bz.apache.org/bugzilla/show_bug.cgi?id=69725
Bug ID: 69725
Summary: gpg verification is broken
Product: Ant
Version: 1.10.15
Hardware: Macintosh
OS: other
Status: NEW
Severity: blocker
Priority: P2
Component: Other
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
gpg verification appears broken using the instructions on
https://ant.apache.org/bindownload
Possibly the signatures or process is borked in some way. Two things I noticed
when I tried to verify the zip file:
1. A number of signagtures in the .asc fiule are expired. E.g.
0BADE59B0EC24E68C03CA4815EFAD9FE82A7FBCD
uid Antoine Levy-Lambert (CODE SIGNING KEY) <[email protected]>
sub rsa4096 2010-11-02 [E]
pub rsa4096 2018-06-13 [SC] [expired: 2022-06-13]
8DA70C00DF7AF1B0D2F9DC74DDBCC1270A29D081
uid jaikiran@apache <[email protected]>
sub rsa4096 2018-06-13 [E] [expired: 2022-06-13]
pub rsa4096 2022-12-11 [SC]
2. gpg thinks something else is wrong in the KEYS file:
~/Downloads$ gpg -a KEYS
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: orphaned user ID
gpg: standalone signature of class 0x10
gpg: can't handle this ambiguous signature data
gpg: can't handle this ambiguous signature data
3. gpg can't verify the signature:
$ gpg --verify apache-ant-1.10.15-bin.zip.asc
gpg: assuming signed data in 'apache-ant-1.10.15-bin.zip'
gpg: Signature made Sun Aug 25 10:51:07 2024 EDT
gpg: using RSA key 0A123C1ED3F13A6A0140E166C71FB765CD9DE313
gpg: Can't check signature: No public key
It's of course possible there are bugs in gpg causing this and the KEYS and
signature files are correct. But even if so, the fact remains that the
instructions given on the web site don't work, at least on Mac OS X 10.15
--
You are receiving this mail because:
You are the assignee for the bug.
