[SLING-10775] Committers CLI Uses Missing people.apache.org Keys File - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Duplicate
Affects Version/s: Committer CLI 1.0.0
Fix Version/s: None
Component/s: Tooling
Labels:
None

Description

The PGPSignatureValidator in the committer CLI downloads the keys from https://people.apache.org/keys/group/sling.asc, see:
https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97

This is not recommended as per https://people.apache.org/keys/ and it is currently broken as this URL returns a 404.

Relevant logs:

docker run -e ASF_USERNAME -e ASF_PASSWORD apache/sling-cli release verify -r 2520
{{ bundle sling-cli:1.0.0.20210901125806280 (24)[org.apache.sling.cli.impl.pgp.PGPSignatureValidator(12)] : The readKeyRing method has thrown an exception}}
{{ java.lang.IllegalStateException: Sling keys file from /tmp/sling-keys.asc does not contain any keys.}}
{{ at org.apache.sling.cli.impl.pgp.PGPSignatureValidator.readKeyRing(PGPSignatureValidator.java:126)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)}}
{{ at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)}}
{{ at java.base/java.lang.reflect.Method.invoke(Unknown Source)}}

Attachments

Issue Links

duplicates

SLING-10837 The KEYS file should be retrieved from the correct location

Resolved

relates to

SLING-9173 Add KEYS file to https://dist.apache.org/repos/dist/release/sling

Resolved

links to

GitHub Pull Request #9

Activity

People

Assignee:: Unassigned

Reporter:: Dan Klco

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 01/Sep/21 13:15

Updated:: 27/Jan/22 14:07

Resolved:: 27/Jan/22 14:06