Hi Justin, investigating it a little more ... ok now this is really strange. I do generate the poms to pom.xml and sign them, but they are renamed when uploading ... will change this ... thanks for reporting this :-)
Chris [ C h r i s t o f e r D u t z ] C-Ware IT-Service Inhaber Dipl. Inf. Christofer Dutz Alleestraße 23, 64367 Mühltal fon: 0 61 54 / 5779991 mobil: 0171 / 7 444 2 33 email: christofer.d...@c-ware.de http://www.c-ware.de FA Darmstadt: 07 813 60581 -----Ursprüngliche Nachricht----- Von: Christofer Dutz [mailto:christofer.d...@c-ware.de] Gesendet: Sonntag, 29. März 2015 11:30 An: dev@flex.apache.org Betreff: AW: Publish Maven artifacts for released versions of FlexUnit4? Oh ... thanks for that hint Justin. I added the signature stuff to the Ant scripts quite some time ago. For this I had to manually sign all artifacts. Will double-check to make sure the poms are signed too. Chris -----Ursprüngliche Nachricht----- Von: Justin Mclean [mailto:jus...@classsoftware.com] Gesendet: Sonntag, 29. März 2015 00:27 An: dev@flex.apache.org Betreff: Re: Publish Maven artifacts for released versions of FlexUnit4? Hi, > Could you guys please double check the artifacts ... I guess the main question is how do we confirm what source code this was compiled from? > I know this is not an official release, but I still thing the signatures need > verification. May be the way it been deployed? but the the jar sigs and md5 hashes are ok (and using an Apache email). but the pom file signature isn't. for file in *.asc; do echo $file; gpg --verify $file; done flexUnitTasks-4.2.0-javadoc.jar.asc gpg: Signature made Sun 29 Mar 04:03:33 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0-sources.jar.asc gpg: Signature made Sun 29 Mar 04:03:27 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0.jar.asc gpg: Signature made Sun 29 Mar 04:03:13 2015 AEDT using RSA key ID 5C60D6B9 gpg: Good signature from "Christofer Dutz (Apache Comitter) <cd...@apache.org>" flexUnitTasks-4.2.0.pom.asc gpg: no signed data gpg: can't hash datafile: No data Thanks, Justin
