Hello, Sorry, I should have indicated where we obtained Xerces from.
Given this is for integration with the JVM ecosystem, we are using Maven Central and obtained the files from there: https://repo.maven.apache.org/maven2/xerces/xercesImpl/2.12.2/ I believe that artifacts deployed on Maven Central should be fully verifiable, which means the signing key should be included in documented KEYS for the project. Regards, Louis Jacomet Senior Lead Software Engineer Gradle W. gradle.com On Wed, Dec 6, 2023 at 1:05 AM Mukul Gandhi <muk...@apache.org> wrote: > Hi Louis, > It seems to me that, for your needs you may download XercesJ 2.12.2 > distributable from https://xerces.apache.org/mirrors.cgi [1]. > > The XercesJ release package downloaded from [1], should have a signature > conforming to one of the signing key available at > https://downloads.apache.org/xerces/j/binaries/KEYS. > > On Tue, Dec 5, 2023 at 3:21 PM Louis Jacomet <lo...@gradle.com> wrote: > >> Hey folks, >> >> While upgrading the xerces version to 2.12.2 inside Gradle >> <https://github.com/gradle/gradle/>, we cannot validate that the new key >> used to sign the release is legitimate. >> >> The following key has been used: >> 6CB87B18A453990EAC9453F87D713008CC07E9AD (Aurélien Pupier < >> apup...@redhat.com>) >> >> But this key is not listed in the KEYS file found at >> https://downloads.apache.org/xerces/j/binaries/KEYS >> >> Can a developer confirm this signature is legitimate? >> Or point us to the right location for performing this validation? >> >> Regards, >> >> Louis Jacomet >> >> Senior Lead Software Engineer >> >> Gradle >> W. gradle.com >> >> > > > -- > Regards, > Mukul Gandhi > > -- * CONFIDENTIALITY NOTICE*: The contents of this email message, and any attachments, are intended solely for the addressee(s) and may contain confidential, proprietary and/or privileged information legally protected from disclosure. If you are not the intended recipient of this communication, or if you received this communication by mistake, please notify the sender immediately and delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, retransmission, dissemination, copying or storage of this message or its attachments is strictly prohibited.
