[JCI-63] Released JCI 1.0 downloads are signed by a key NOT in the master KEYS file - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0
Fix Version/s: None
Component/s: site
Labels:
None
Environment:

Tested on Windows for the .zip downloads.

Description

The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by public key 7C200941, which is not in the KEYS file listing authorized download signatures. This means that either security has been compromised and the downloaded files are fakes or (more likely) someone messed up and signed the JCI release files with the wrong key.

In either case this means that there is no currently available JCI 1.0 release (unless users ignore your own security warning to always verify downloads).

I suggest that the genuine 1.0 release files be signed with an authorized key already listed in the KEYS file, or the relevant key be added to the KEYS file on the commons site.

The bug may or may not affect the .tar.gz.asc files.

Attachments

Activity

People

Assignee:: Torsten Curdt

Reporter:: J Bohm

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 08/Feb/10 17:38

Updated:: 13/May/11 07:37

Resolved:: 13/May/11 07:37