Hi, On Fri, 2023-03-31 at 09:06 +0000, Stefan Seifert wrote: > hello andreas. > > i tried multiple times yesterday and today to validate the new > release, but the GPG validation is still failing for me, although > i've downloaded the updated KEYS [1] file in the same way it worked > for all the other keys. > > would be good if others can try it as well.
Same issue here. $ gpg --verify /tmp/sling- staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org. apache.sling.graphql.core-0.0.18-sources.jar.asc gpg: assuming signed data in '/tmp/sling- staging/2733/org/apache/sling/org.apache.sling.graphql.core/0.0.18/org. apache.sling.graphql.core-0.0.18-sources.jar' gpg: Signature made Tue 28 Mar 2023 09:00:10 PM CEST gpg: using EDDSA key 945906263A8BB1688AE5EB471E4FD64F2A8C0106 gpg: Can't check signature: No public key However, the signature present in the public KEYS file seems to be different (I'm not a GPG expert). gpg: key F2EB5CFC00FCB034: public key "Andreas Schaefer (CODE SIGNING KEY) <[email protected]>" imported Thanks, Robert > > stefan > > > [1] https://dist.apache.org/repos/dist/release/sling/KEYS > > > -----Original Message----- > > From: Andreas Schaefer <[email protected]> > > Sent: Thursday, March 30, 2023 6:20 PM > > To: dev <[email protected]> > > Subject: Release Apache Sling GraphQL Core 0.0.18 > > > > Hi > > > > I created a new release of GraphQL Core v 0.0.18 and put it up to a > > vote > > but so far nobody responded. > > > > This is an important release for AEM to fix a security issue in > > graphql- > > java:https://nvd.nist.gov/vuln/detail/CVE-2022-37734 > > > > Thanks - Andy
