Hi Florian, Juan Pablo, and all, I wanted to inform you that I have updated the documentation and replaced the files with signature issues. The problematic GPG signatures have been corrected, and the affected files have been re-uploaded.
Here is a summary of the actions taken: 1. Verified and corrected the signatures for the problematic artifacts. 2. Re-uploaded the corrected artifacts and their signatures to SVN. I apologize for the confusion and any inconvenience caused by the invalid signatures. If you encounter any further issues or have any concerns, please do not hesitate to reach out. Best regards, Arturo On Tue, Jun 25, 2024 at 11:38 AM Arturo Bernal <aber...@apache.org> wrote: > Hi All, > > I'm okay with not doing a new release and instead replacing the files that > have signature issues. > > > Arturo > > > On Mon, Jun 24, 2024 at 9:57 PM Juan Pablo Santos Rodríguez < > juanpablo.san...@gmail.com> wrote: > >> Hi! >> >> my bad: gpg --keyserver hkps://pgp.mit.edu/ --recv-keys 2D51AAC6 did >> not return the key, but gpg --keyserver hkps://keyserver.ubuntu.com >> --recv-keys 2D51AAC6 did. >> >> Done that, I've checked the sigs and basically the ones on the >> wikipages folder are the ones giving trouble. In this release, the >> name from the wikipages artifacts changed from >> jspwiki-wikipages-$LANG-2.12.2.zip to >> jspwiki-wikipages-$LANG-2.12.2-jspwiki.zip, so perhaps the name change >> has to do with this error? Also the markdown zip don't contain the asc >> files. I think they were added on a second pass during the release >> vote, so maybe that's why there aren't the asc fils (if they aren't >> b/c those zips get autogenerated we can fix that on the next release). >> Also I copied a bunch of convenience jars on binaries/webapp that were >> lacking their signatures. Also my bad for copying them without >> checking first. >> >> As for a new release, given that >> ./source/jspwiki-builder-2.12.2-source-release.zip contains a valid >> signature I wouldn't go for a new release. This is *the* release file, >> the important one, whereas the rest are just convenience binaries, so >> I think is ok if we fix the sigs directly at svn. For the wikipages it >> should be as easy as >> >> git checkout 2.12.2 >> cd jspwiki-wikipages >> mvn clean install gpg:sign >> >> and then just copy the files and sigs. Same could be done for the >> other convenience jars too >> >> makes sense? Does anyone thinks that this should warrant a 2.12.3 >> release, just in any case? If anybody is uncomfortable with proceeding >> like above we can always go with 2.12.3 and fix it there. >> >> >> cheers, >> juan pablo >> >> On Mon, Jun 24, 2024 at 7:56 PM Arturo Bernal <aber...@apache.org> wrote: >> > >> > Hi, >> > >> > The key is available (gpg --list-keys --fingerprint 2D51AAC6), but I >> don't >> > think that will solve the issue. It seems that I might have generated >> the >> > signature incorrectly. >> > >> > I checked and, yes, there are binaries that were signed correctly. >> > Verification worked for jspwiki-portable-2.12.2-woas.zip with >> > jspwiki-portable-2.12.2-woas.zip.asc. >> > >> > >> > >> > Best regards, >> >
