Hello, This is my key. I'm not a committer of Xerces J but I handled the push to Maven repository as there was no committer with time available to do it or respond to my requests. See https://issues.apache.org/jira/browse/XERCESJ-1724 and https://issues.sonatype.org/browse/OSSRH-60102?focusedId=972176&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-972176
If it is fine for committers, I can try to add my key to the place they want, or give the information which is needed for that. regards, On Wed, Dec 6, 2023 at 10:38 AM Louis Jacomet <lo...@gradle.com> wrote: > Hello, > > Sorry, I should have indicated where we obtained Xerces from. > > Given this is for integration with the JVM ecosystem, we are using Maven > Central and obtained the files from there: > https://repo.maven.apache.org/maven2/xerces/xercesImpl/2.12.2/ > > I believe that artifacts deployed on Maven Central should be fully > verifiable, which means the signing key should be included in documented > KEYS for the project. > > Regards, > > Louis Jacomet > > Senior Lead Software Engineer > > Gradle > W. gradle.com > > > > > On Wed, Dec 6, 2023 at 1:05 AM Mukul Gandhi <muk...@apache.org> wrote: > >> Hi Louis, >> It seems to me that, for your needs you may download XercesJ 2.12.2 >> distributable from https://xerces.apache.org/mirrors.cgi [1]. >> >> The XercesJ release package downloaded from [1], should have a signature >> conforming to one of the signing key available at >> https://downloads.apache.org/xerces/j/binaries/KEYS. >> >> On Tue, Dec 5, 2023 at 3:21 PM Louis Jacomet <lo...@gradle.com> wrote: >> >>> Hey folks, >>> >>> While upgrading the xerces version to 2.12.2 inside Gradle >>> <https://github.com/gradle/gradle/>, we cannot validate that the new >>> key used to sign the release is legitimate. >>> >>> The following key has been used: >>> 6CB87B18A453990EAC9453F87D713008CC07E9AD (Aurélien Pupier < >>> apup...@redhat.com>) >>> >>> But this key is not listed in the KEYS file found at >>> https://downloads.apache.org/xerces/j/binaries/KEYS >>> >>> Can a developer confirm this signature is legitimate? >>> Or point us to the right location for performing this validation? >>> >>> Regards, >>> >>> Louis Jacomet >>> >>> Senior Lead Software Engineer >>> >>> Gradle >>> W. gradle.com >>> >>> >> >> >> -- >> Regards, >> Mukul Gandhi >> >> > > *CONFIDENTIALITY NOTICE*: The contents of this email message, and any > attachments, are intended solely for the addressee(s) and may contain > confidential, proprietary and/or privileged information legally protected > from disclosure. If you are not the intended recipient of this > communication, or if you received this communication by mistake, please > notify the sender immediately and delete this message and any attachments. > If you are not the intended recipient, you are hereby notified that any > use, retransmission, dissemination, copying or storage of this message or > its attachments is strictly prohibited. >
