Hi Aurélien, Thanks for providing a trail.
Since the Maven Central published JAR has the same SHA256 checksum as the one downloaded from the Xerces site, this is all good. Regards, Louis Jacomet Senior Lead Software Engineer Gradle W. gradle.com On Wed, Dec 6, 2023 at 9:48 AM Aurélien Pupier <apup...@redhat.com> wrote: > Hello, > > This is my key. > I'm not a committer of Xerces J but I handled the push to Maven repository > as there was no committer with time available to do it or respond to my > requests. > See https://issues.apache.org/jira/browse/XERCESJ-1724 and > https://issues.sonatype.org/browse/OSSRH-60102?focusedId=972176&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-972176 > > If it is fine for committers, I can try to add my key to the place they > want, or give the information which is needed for that. > > regards, > > > On Wed, Dec 6, 2023 at 10:38 AM Louis Jacomet <lo...@gradle.com> wrote: > >> Hello, >> >> Sorry, I should have indicated where we obtained Xerces from. >> >> Given this is for integration with the JVM ecosystem, we are using Maven >> Central and obtained the files from there: >> https://repo.maven.apache.org/maven2/xerces/xercesImpl/2.12.2/ >> >> I believe that artifacts deployed on Maven Central should be fully >> verifiable, which means the signing key should be included in documented >> KEYS for the project. >> >> Regards, >> >> Louis Jacomet >> >> Senior Lead Software Engineer >> >> Gradle >> W. gradle.com >> >> >> >> >> On Wed, Dec 6, 2023 at 1:05 AM Mukul Gandhi <muk...@apache.org> wrote: >> >>> Hi Louis, >>> It seems to me that, for your needs you may download XercesJ 2.12.2 >>> distributable from https://xerces.apache.org/mirrors.cgi [1]. >>> >>> The XercesJ release package downloaded from [1], should have a signature >>> conforming to one of the signing key available at >>> https://downloads.apache.org/xerces/j/binaries/KEYS. >>> >>> On Tue, Dec 5, 2023 at 3:21 PM Louis Jacomet <lo...@gradle.com> wrote: >>> >>>> Hey folks, >>>> >>>> While upgrading the xerces version to 2.12.2 inside Gradle >>>> <https://github.com/gradle/gradle/>, we cannot validate that the new >>>> key used to sign the release is legitimate. >>>> >>>> The following key has been used: >>>> 6CB87B18A453990EAC9453F87D713008CC07E9AD (Aurélien Pupier < >>>> apup...@redhat.com>) >>>> >>>> But this key is not listed in the KEYS file found at >>>> https://downloads.apache.org/xerces/j/binaries/KEYS >>>> >>>> Can a developer confirm this signature is legitimate? >>>> Or point us to the right location for performing this validation? >>>> >>>> Regards, >>>> >>>> Louis Jacomet >>>> >>>> Senior Lead Software Engineer >>>> >>>> Gradle >>>> W. gradle.com >>>> >>>> >>> >>> >>> -- >>> Regards, >>> Mukul Gandhi >>> >>> >> >> *CONFIDENTIALITY NOTICE*: The contents of this email message, and any >> attachments, are intended solely for the addressee(s) and may contain >> confidential, proprietary and/or privileged information legally protected >> from disclosure. If you are not the intended recipient of this >> communication, or if you received this communication by mistake, please >> notify the sender immediately and delete this message and any attachments. >> If you are not the intended recipient, you are hereby notified that any >> use, retransmission, dissemination, copying or storage of this message or >> its attachments is strictly prohibited. >> > -- * CONFIDENTIALITY NOTICE*: The contents of this email message, and any attachments, are intended solely for the addressee(s) and may contain confidential, proprietary and/or privileged information legally protected from disclosure. If you are not the intended recipient of this communication, or if you received this communication by mistake, please notify the sender immediately and delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, retransmission, dissemination, copying or storage of this message or its attachments is strictly prohibited.
