Artifacts's PGP signatures
5 views
Skip to first unread message
Slawomir Jaranowski
Aug 21, 2020, 4:45:55 PM8/21/20
to jackson-dev
The latest release of jackson artifact is signed by pgp key which is strange for me, because doesn't have uid in key.
Please confirm that this key belong to someone how has privilege to release new version of project
It is difficult to verify signature, eg:
gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: key 8D7F1BEC1E2ECAE7: no user ID
gpg: Total number processed: 1
gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc
gpg: assuming signed data in '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar'
gpg: Signature made Sun Aug 2 20:36:50 2020 CEST
gpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: Can't check signature: No public key
***************************************
Another case: jackson-databind-2.11.0.jar - has bad signature ... it can looks like someone change content of jackson-databind-2.11.0.jar
gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc
gpg: assuming signed data in '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar'
gpg: Signature made Sun Apr 26 02:16:05 2020 CEST
gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994
gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <tatu.sa...@iki.fi>" [expired]
Tatu Saloranta
Aug 21, 2020, 4:50:31 PM8/21/20
to jacks...@googlegroups.com
On Fri, Aug 21, 2020 at 1:45 PM Slawomir Jaranowski <s.jara...@gmail.com> wrote:
The latest release of jackson artifact is signed by pgp key which is strange for me, because doesn't have uid in key.Please confirm that this key belong to someone how has privilege to release new version of project
Yes, this is the gpg key I generated after earlier expired by 2020-07-25. Not sure why Brew-installated gnupg created something without uid, I just used defaults suggested.
It is difficult to verify signature, eg:gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7gpg: key 8D7F1BEC1E2ECAE7: no user IDgpg: Total number processed: 1gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.ascgpg: assuming signed data in '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar'gpg: Signature made Sun Aug 2 20:36:50 2020 CESTgpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7gpg: Can't check signature: No public key***************************************Another case: jackson-databind-2.11.0.jar - has bad signature ... it can looks like someone change content of jackson-databind-2.11.0.jargpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.ascgpg: assuming signed data in '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar'gpg: Signature made Sun Apr 26 02:16:05 2020 CESTgpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <tatu.sa...@iki.fi>" [expired]
I am not sure why you think there is something wrong with that key: perhaps gpg messages are bit misleading here.
While the key is now expired, it was valid at the time of signing. Key expiration is defined at creation
and is immutable; this for security reasons (so that even if one accidentally exposes key, it will not be valid for use forever).
At least that is how I understand above.
So, both keys are legit.
-+ Tatu +-
--
You received this message because you are subscribed to the Google Groups "jackson-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/235c792d-227f-41f8-82cd-7a6d7b713418n%40googlegroups.com.
Slawomir Jaranowski
Aug 21, 2020, 6:06:34 PM8/21/20
to jacks...@googlegroups.com
Expired key hasn't impact on verification.
pom, has correct signature
gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom.asc
gpg: assuming signed data in '....m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom'
gpg: Signature made Sun Apr 26 02:16:06 2020 CEST
gpg: assuming signed data in '....m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.pom'
gpg: Signature made Sun Apr 26 02:16:06 2020 CEST
gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994
gpg: Good signature from "Tatu Saloranta (cowtowncoder) <tatu.sa...@iki.fi>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 6214 7600 97DC 5CFA D017 5AC2 C9FB AA83 A875 3994
gpg: Note: This key has expired!
Primary key fingerprint: 6214 7600 97DC 5CFA D017 5AC2 C9FB AA83 A875 3994
Sławomir Jaranowski
Tatu Saloranta
Aug 21, 2020, 8:07:43 PM8/21/20
to jacks...@googlegroups.com
On Fri, Aug 21, 2020 at 3:06 PM Slawomir Jaranowski
Ah, I see. Yes, I misread what you said and assumed you were referring
to expired key.
If I remember correctly, Sonatype Nexus was having serious performance
issue at the time when 2.11.0 was released and (I think)
managed to deploy partial release somehow. I tried to make a new
release which was (somewhat correctly) blocked by Nexus.
I worked with Sonatype support people to try to get a working version
published, but I think they may have copied over bad mix
of artifacts in which signature file for jar was not from same release
set as jar itself.
I tried to find the Jira issue since I think I had to file one -- this
to make sure I my recollection with incident is related to problem you
see
-- but could not quite locate it (see https://issues.sonatype.org/).
At this point I would just suggest avoiding that version: 2.11.2 is
already out and should not suffer from the same problem.
As to 2.11.0 problem itself: only Sonatype could help with the
official artifact, but I suspect that even if that was rectified (by
building from 2.12.0 release tag in git repo, which is easy enough)
there is the problem of Maven repository caching, propagation to
various secondary repos etc.
-+ Tatu +-
>
>
> --
> Sławomir Jaranowski
to expired key.
If I remember correctly, Sonatype Nexus was having serious performance
issue at the time when 2.11.0 was released and (I think)
managed to deploy partial release somehow. I tried to make a new
release which was (somewhat correctly) blocked by Nexus.
I worked with Sonatype support people to try to get a working version
published, but I think they may have copied over bad mix
of artifacts in which signature file for jar was not from same release
set as jar itself.
I tried to find the Jira issue since I think I had to file one -- this
to make sure I my recollection with incident is related to problem you
see
-- but could not quite locate it (see https://issues.sonatype.org/).
At this point I would just suggest avoiding that version: 2.11.2 is
already out and should not suffer from the same problem.
As to 2.11.0 problem itself: only Sonatype could help with the
official artifact, but I suspect that even if that was rectified (by
building from 2.12.0 release tag in git repo, which is easy enough)
there is the problem of Maven repository caching, propagation to
various secondary repos etc.
-+ Tatu +-
>
>
> --
> Sławomir Jaranowski
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAGjJkv3VCRwJfi1Tn_HUtCCPmqWk_pVXe%2BPYDCk%3Ds8ZHYj%2B%3Dcg%40mail.gmail.com.
> --
> You received this message because you are subscribed to the Google Groups "jackson-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev...@googlegroups.com.
Slawomir Jaranowski
Aug 22, 2020, 6:21:45 AM8/22/20
to jacks...@googlegroups.com
Thanks for your clarification.
I redownload artifacts and signature for Maven Central and signature is OK for jackson-databind-2.11.0.jar
Probably was some problem during the first download.
I redownload artifacts and signature for Maven Central and signature is OK for jackson-databind-2.11.0.jar
Probably was some problem during the first download.
Sławomir Jaranowski
Tatu Saloranta
Aug 22, 2020, 6:32:48 PM8/22/20
to jacks...@googlegroups.com
The reason I remember the incident is just that the timing was so
unfortunate: right when the official 2.11.0
was released (and not during release candidates or so) :)
-+ Tatu +-
>
>
> --
> Sławomir Jaranowski
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages