Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Duplicate
-
Committer CLI 1.0.0
-
None
-
None
Description
The PGPSignatureValidator in the committer CLI downloads the keys from https://people.apache.org/keys/group/sling.asc, see:
https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97
This is not recommended as per https://people.apache.org/keys/ and it is currently broken as this URL returns a 404.
Relevant logs:
docker run -e ASF_USERNAME -e ASF_PASSWORD apache/sling-cli release verify -r 2520
{{ bundle sling-cli:1.0.0.20210901125806280 (24)[org.apache.sling.cli.impl.pgp.PGPSignatureValidator(12)] : The readKeyRing method has thrown an exception}}
{{ java.lang.IllegalStateException: Sling keys file from /tmp/sling-keys.asc does not contain any keys.}}
{{ at org.apache.sling.cli.impl.pgp.PGPSignatureValidator.readKeyRing(PGPSignatureValidator.java:126)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)}}
{{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)}}
{{ at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)}}
{{ at java.base/java.lang.reflect.Method.invoke(Unknown Source)}}
Attachments
Issue Links
- duplicates
-
SLING-10837 The KEYS file should be retrieved from the correct location
- Resolved
- relates to
-
SLING-9173 Add KEYS file to https://dist.apache.org/repos/dist/release/sling
- Resolved
- links to