Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.0
-
None
-
None
-
Tested on Windows for the .zip downloads.
Description
The files commons-jci-bin.zip.asc and commons-jci-src.zip.asc are signed by public key 7C200941, which is not in the KEYS file listing authorized download signatures. This means that either security has been compromised and the downloaded files are fakes or (more likely) someone messed up and signed the JCI release files with the wrong key.
In either case this means that there is no currently available JCI 1.0 release (unless users ignore your own security warning to always verify downloads).
I suggest that the genuine 1.0 release files be signed with an authorized key already listed in the KEYS file, or the relevant key be added to the KEYS file on the commons site.
The bug may or may not affect the .tar.gz.asc files.