Hi, Have the releases been signed with a correct key?
Asking as [1] says this "It is recommended that your Apache email address is used as the primary User-ID for the code signing key". The artefacts are signed by aha...@adobe.com key F8502A44 which is obviously not an Apache email address. If you ignore [1] (it's only recommended) the KEYS file contains the key C9383D43 with a sub key of F8502A44. Looking up aha...@adobe.com here [2] gives me the id C9383D43 not F8502A44. So it looks like it been signed with the sub key and not the public key. My (limited) understanding was that pubic key are used for signing and sub keys for encryption. Does this matter? Not 100% sure but [3] + [4] seem to imply that there might be an issue here. Thanks, Justin 1. http://www.apache.org/dev/release-signing.html#user-id 2. http://pgp.mit.edu/pks/lookup?search=aharui%40adobe.com&op=index 3. http://www.apache.org/dev/release-signing.html#subkey 4. http://www.gnupg.org/faq/subkey-cross-certify.html
