Hi Louis, It seems to me that, for your needs you may download XercesJ 2.12.2 distributable from https://xerces.apache.org/mirrors.cgi [1].
The XercesJ release package downloaded from [1], should have a signature conforming to one of the signing key available at https://downloads.apache.org/xerces/j/binaries/KEYS. On Tue, Dec 5, 2023 at 3:21 PM Louis Jacomet <lo...@gradle.com> wrote: > Hey folks, > > While upgrading the xerces version to 2.12.2 inside Gradle > <https://github.com/gradle/gradle/>, we cannot validate that the new key > used to sign the release is legitimate. > > The following key has been used: > 6CB87B18A453990EAC9453F87D713008CC07E9AD (Aurélien Pupier < > apup...@redhat.com>) > > But this key is not listed in the KEYS file found at > https://downloads.apache.org/xerces/j/binaries/KEYS > > Can a developer confirm this signature is legitimate? > Or point us to the right location for performing this validation? > > Regards, > > Louis Jacomet > > Senior Lead Software Engineer > > Gradle > W. gradle.com > > -- Regards, Mukul Gandhi
