Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-10775

Committers CLI Uses Missing people.apache.org Keys File

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • Committer CLI 1.0.0
    • None
    • Tooling
    • None

    Description

      The PGPSignatureValidator in the committer CLI downloads the keys from https://people.apache.org/keys/group/sling.asc, see:
      https://github.com/apache/sling-org-apache-sling-committer-cli/blob/998b654a1682cc1460d206dc4f40514995ad621e/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java#L97

      This is not recommended as per https://people.apache.org/keys/ and it is currently broken as this URL returns a 404.

      Relevant logs:

      docker run -e ASF_USERNAME -e ASF_PASSWORD apache/sling-cli release verify -r 2520
      {{ bundle sling-cli:1.0.0.20210901125806280 (24)[org.apache.sling.cli.impl.pgp.PGPSignatureValidator(12)] : The readKeyRing method has thrown an exception}}
      {{ java.lang.IllegalStateException: Sling keys file from /tmp/sling-keys.asc does not contain any keys.}}
      {{ at org.apache.sling.cli.impl.pgp.PGPSignatureValidator.readKeyRing(PGPSignatureValidator.java:126)}}
      {{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)}}
      {{ at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)}}
      {{ at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)}}
      {{ at java.base/java.lang.reflect.Method.invoke(Unknown Source)}}

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              dklco Dan Klco
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: