Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14527

The 8.5.1 release can't be verified using PGP

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Implemented
    • 8.5.1
    • None
    • website
    • None

    Description

      The https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz.asc signature of the https://archive.apache.org/dist/lucene/solr/8.5.1/solr-8.5.1.tgz file is made by the following key:

      pub rsa4096 2019-07-10 [SC]
      E58A6F4D5B2B48AC66D5E53BD4F181881A42F9E6
      uid [ unknown] Ignacio Vera (CODE SIGNING KEY) <ivera@apache.org>
      sub rsa4096 2019-07-10 [E]

       

      However, that key is not included in https://archive.apache.org/dist/lucene/solr/KEYS, so there is no way for me to verify that the file is authentic.  I could download the key from a keyserver, but there are no signatures on the key, so I'm left with no way to verify that the 8.5.1 distribution is legitimate.

      I'm assuming this is just an omission, and that ivera simply forgot to add the key to the KEYS file.

      Attachments

        Activity

          People

            Unassigned Unassigned
            ceder Per Cederqvist
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: