Great :-)
Am 15. September 2025 19:07:46 MESZ schrieb COURTAULT Francois <[email protected]>: >THALES GROUP LIMITED DISTRIBUTION to email recipients > >Hello Richard, > >You probably right. >Now I am able to see Markus Jung sting in the KEYS file. > >Sorry to not have performed a refresh. > >Best Regards. > >-----Original Message----- >From: Richard Zowalla <[email protected]> >Sent: vendredi 12 septembre 2025 11:06 >To: [email protected] >Subject: Re: TomEE package verification not working > > curl -sS https://downloads.apache.org/tomee/KEYS | grep > 85FBBE98D6C37CDA8A7D8FF9F9FF83A48D339D37 > 85FBBE98D6C37CDA8A7D8FF9F9FF83A48D339D37 > > > >> Am 12.09.2025 um 10:43 schrieb Richard Zowalla <[email protected]>: >> >> Maybe force refresh your cache. It's definitely in that file. >> >> >> Am 12. September 2025 10:08:59 MESZ schrieb COURTAULT Francois >> <[email protected]>: >>> THALES GROUP LIMITED DISTRIBUTION to email recipients >>> >>> Hello Richard, >>> >>> In the https://downloads.apache.org/tomee/KEYS file, I don't see any >>> uid [ultimate] Markus Jung (CODE SIGNING KEY) <[email protected]> >>> >>> If I search (CODE SIGNING KEY) in the KEYS file, I get: >>> - uid Richard Kenneth McGuire (CODE SIGNING KEY) >>> <[email protected]> >>> - uid Jarek Gawor (CODE SIGNING KEY) <[email protected]> >>> - uid Jean-Louis Monteiro (CODE SIGNING KEY) >>> <[email protected]> >>> sig 3 043F71D8 2012-09-28 Jean-Louis Monteiro (CODE SIGNING >>> KEY) <[email protected]> >>> sig 043F71D8 2012-09-28 Jean-Louis Monteiro (CODE SIGNING >>> KEY) <[email protected]> >>> - uid [ ultime ] Jean-Louis Monteiro (CODE SIGNING KEY) >>> <[email protected]> >>> - uid [uneingeschränkt] Richard Zowalla (Code Signing Key) >>> <[email protected]> >>> sig 3 DAB472F0E5B8A431 2022-04-12 Richard Zowalla (Code >>> Signing Key) <[email protected]> >>> sig DAB472F0E5B8A431 2022-04-12 Richard Zowalla (Code >>> Signing Key) <[email protected]> >>> So no Markus Jung entry here. >>> >>> The only "uid [ultimate]" is set for David Blevins and not for >>> Markus Jung. >>> >>> Best Regards. >>> >>> -----Original Message----- >>> From: Richard Zowalla <[email protected]> >>> Sent: jeudi 11 septembre 2025 19:15 >>> To: [email protected] >>> Subject: Re: TomEE package verification not working >>> >>> The link is correct. The key in question is contained in the file. >>> >>> pub rsa4096 2024-03-22 [SC] >>> 85FBBE98D6C37CDA8A7D8FF9F9FF83A48D339D37 >>> uid [ultimate] Markus Jung (CODE SIGNING KEY) <[email protected]> >>> sig 3 F9FF83A48D339D37 2024-03-22 [self-signature] >>> sub rsa4096 2024-03-22 [E] >>> sig F9FF83A48D339D37 2024-03-22 [self-signature] >>> >>> The only change ist, that Markus did the Release for 10.1.1. >>> >>> Gruß >>> Richard >>> >>> Am 11. September 2025 18:27:31 MESZ schrieb COURTAULT Francois >>> <[email protected]>: >>>> THALES GROUP LIMITED DISTRIBUTION to email recipients >>>> >>>> Hello everyone, >>>> >>>> In our pipeline for building TomEE Docker base images, we do this: >>>> + gpg --batch --verify apache-tomee-10.1.1-plus.tar.gz.asc >>>> apache-tomee-10.1.1-plus.tar.gz >>>> gpg: Signature made Sat Aug 16 12:18:25 2025 UTC >>>> gpg: using RSA key 85FBBE98D6C37CDA8A7D8FF9F9FF83A48D339D37 >>>> gpg: Can't check signature: No public key >>>> >>>> It was working with TomEE 10.1.0 but not anymore with TomEE 10.1.1. >>>> The keys used are located at https://downloads.apache.org/tomee/KEYS >>>> Is this location still valid for TomEE keys ? >>>> >>>> What has changed between 10.1.0 and 10.1.1 ? >>>> How to fix this issue ? any idea ? >>>> >>>> Best Regards. >>>> >>>> >>>>
