> On Jun 8, 2017, at 11:02 AM, Matt Sicker <boa...@gmail.com> wrote: > > Adding the appropriate key to the KEYS file after the fact should still > work. It would have the same cryptographic reliability as being added > beforehand as you can't exactly imitate a key.
Yes (mine has been up there since February actually), but the signature and the time stamp on the files didn't match me. Bad svn commit on my part initially. Doh. > >> On 8 June 2017 at 07:17, Rob Tompkins <chtom...@gmail.com> wrote: >> >> >> >>>> On Jun 8, 2017, at 8:09 AM, sebb <seb...@gmail.com> wrote: >>>> >>>> On 8 June 2017 at 01:20, Gary Gregory <garydgreg...@gmail.com> wrote: >>>> The ASC does not seem to have a public key.: >>>> >>>> gpg --verify commons-fileupload-1.3.3-source-release.zip.asc >>> >>> That is not the recommended way to check a sig; you also need the target >> file >>> >>> $ gpg --verify downloaded_file.asc downloaded_file >> >> Indeed, but if you don't specify it looks in the current directory for the >> file. >> >>> >>>> gpg: assuming signed data in 'commons-fileupload-1.3.3- >> source-release.zip' >>> >>> Note that gpg is assuming where to find the data. >>> >>>> gpg: Signature made 12/04/16 05:15:02 Pacific Standard Time using DSA >> key >>>> ID 7188601C >>>> *gpg: Can't check signature: No public key* >>> >>> However if the .asc file was not detached, gpg would not check the >> target file. >>> >>> https://www.apache.org/info/verification.html#specify_both >>> >>>> >>>> Also, the file naming should be consistent, >>>> https://dist.apache.org/repos/dist/dev/commons/fileupload/source/ has >> both >>>> "source-release" and "src". Not sure how you can end up with the >>>> differences beyond just the file extension. >>>> >>>> Gary >>>> >>>> >>>>> On Tue, Jun 6, 2017 at 11:20 AM, Rob Tompkins <chtom...@apache.org> >> wrote: >>>>> >>>>> Hello all, >>>>> >>>>> This is a [VOTE] for releasing Apache Commons Fileupload 1.3.3 (from >> RC5). >>>>> >>>>> Tag name: >>>>> commons-fileupload-1.3.3-RC5 (signature can be checked from git using >>>>> 'git tag -v') >>>>> >>>>> Tag URL: >>>>> https://git-wip-us.apache.org/repos/asf?p=commons- >>>>> fileupload.git;a=commit;h=dd2238b1671644cfead0e87c24a8ac61b4039084 >>>>> >>>>> Commit ID the tag points at: >>>>> dd2238b1671644cfead0e87c24a8ac61b4039084 >>>>> >>>>> Site: >>>>> http://home.apache.org/~chtompki/commons-fileupload-1.3.3-RC5 >>>>> >>>>> Distribution files (committed at revision 19901): >>>>> https://dist.apache.org/repos/dist/dev/commons/fileupload/ >>>>> >>>>> Distribution files hashes (SHA1): >>>>> commons-fileupload-1.3.3-bin.tar.gz >>>>> (SHA1: 2f4a9672168641ff726974a3b7cc68b97d1212fa) >>>>> commons-fileupload-1.3.3-bin.zip >>>>> (SHA1: b66e2c434ddbda90dfc9e92af4775d9777524bfa) >>>>> commons-fileupload-1.3.3-src.tar.gz >>>>> (SHA1: 71294a7d737a8ced04934c222ae6dfb16e4d8d73) >>>>> commons-fileupload-1.3.3-src.zip >>>>> (SHA1: 661172a2f62b460c4b754b7a0f04d412afabde52) >>>>> >>>>> These are the Maven artifacts and their hashes: >>>>> commons-fileupload-1.3.3-javadoc.jar >>>>> (SHA1: 92d2fc371379d64a822150ca3882157564dd3f99) >>>>> commons-fileupload-1.3.3-sources.jar >>>>> (SHA1: c8c7bcb851fb5af0b19e4ea845cf2fc03de6f673) >>>>> commons-fileupload-1.3.3-test-sources.jar >>>>> (SHA1: 5e0d8c621d38694e0f2960ab2899ee1d67f2b708) >>>>> commons-fileupload-1.3.3-tests.jar >>>>> (SHA1: 20510147958fc759582e6ede789ccf31d056b232) >>>>> commons-fileupload-1.3.3.jar >>>>> (SHA1: fd754c7518772453aea1d5ffc32cb5ce0ebc0e40) >>>>> commons-fileupload-1.3.3.pom >>>>> (SHA1: 97d781eafc190f4fee3abf11f9ec8076f5f7b58c) >>>>> >>>>> KEYS file to check signatures: >>>>> http://www.apache.org/dist/commons/KEYS >>>>> >>>>> Maven artifacts: >>>>> https://repository.apache.org/content/repositories/ >>>>> orgapachecommons-1249 >>>>> >>>>> Please select one of the following options[1]: >>>>> [ ] +1 Release it. >>>>> [ ] +0 Go ahead; I don't care. >>>>> [ ] -0 There are a few minor glitches: ... >>>>> [ ] -1 No, do not release it because ... >>>>> >>>>> This vote will be open at least 72 hours, i.e. until >>>>> 2017-06-09T19:00:00Z >>>>> (this is UTC time). >>>>> -------- >>>>> >>>>> Cheers, >>>>> -Rob >>>>> >>>>> [1] http://apache.org/foundation/voting.html >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>>>> For additional commands, e-mail: dev-h...@commons.apache.org >>>>> >>>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > > -- > Matt Sicker <boa...@gmail.com> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
