Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?

Ward, Evan
Hi,

I have been attempting to verify the signatures on maven plugins using
the instructions on the downloads page, e.g. [1]. Several plugins have
been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer? If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?

This issue applies to at least the install plugin version 2.5.2 and the
deploy plugin version 2.8.2.

Best Regards,
Evan


[1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi
[2] https://www.apache.org/dist/maven/KEYS


--
Evan Ward
Aerospace Engineer, Astrodynamics and Navigation Section
U.S. Naval Research Laboratory
T 202.279.4365
www.nrl.navy.mil

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?

Karl Heinz Marbaise-3
Hi,

On 19.02.20 17:04, Ward, Evan wrote:
> Hi,
>
> I have been attempting to verify the signatures on maven plugins using
> the instructions on the downloads page, e.g. [1]. Several plugins have
> been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
> nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer?

Yes it does.

https://maven.apache.org/team.html#khmarbaise




> If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?

What do you mean exactly by "not trusted" ? ...You are checking via gpg
--verify ?


Kind regards
Karl Heinz Marbaise

>
> This issue applies to at least the install plugin version 2.5.2 and the
> deploy plugin version 2.8.2.
>
> Best Regards,
> Evan
>
>
> [1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi
> [2] https://www.apache.org/dist/maven/KEYS
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [maven] Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?

jpyeron
> -----Original Message-----
> From: Karl Heinz Marbaise
> Sent: Wednesday, February 19, 2020 1:07 PM
>
> Hi,
>
> On 19.02.20 17:04, Ward, Evan wrote:
> > Hi,
> >
> > I have been attempting to verify the signatures on maven plugins using
> > the instructions on the downloads page, e.g. [1]. Several plugins have
> > been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which
<snip/>
> > If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this
> specific key is not trusted?
>
> What do you mean exactly by "not trusted" ? ...You are checking via gpg
> --verify ?

I think he meant that it is not included in the Apache Maven "Authorized" signing keys list found at:

<snip/>

> > [2] https://www.apache.org/dist/maven/KEYS


--
Jason Pyeron  | Architect
PD Inc        |
10 w 24th St  |
Baltimore, MD |
 
.mil: [hidden email]
.com: [hidden email]
tel : 202-741-9397





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Is key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A for Karl Heinz Marbaise trusted?

Ward, Evan
In reply to this post by Karl Heinz Marbaise-3
Hi Karl,

On 2020/02/19 18:06:46, Karl Heinz Marbaise <[hidden email]> wrote:

> Hi,>
>
> On 19.02.20 17:04, Ward, Evan wrote:>
> > Hi,>
> >>
> > I have been attempting to verify the signatures on maven plugins using>
> > the instructions on the downloads page, e.g. [1]. Several plugins have>
> > been signed by the key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A which>
> > nominally belongs to Karl Heinz Marbaise, but this key is not present in the KEYS file at [2]. Does this key truly belong to an Apache Committer?>
>
> Yes it does.>
>
> https://maven.apache.org/team.html#khmarbaise>


Great! Can you put it in KEYS? According to the documentation on your downloads page the KEYS file contains all keys trusted to release maven plugins. It does not include your key 0x0CDE80149711EB46DFF17AE421A24B3F8B0F594A. That is why I questioned whether there are trust issues concerning that particular key.

>
>
>
>
> > If so please add it to the keys file. Karl has other keys in the KEYS file - is there a reason this specific key is not trusted?>
>
> What do you mean exactly by "not trusted" ? ...You are checking via gpg>
> --verify ?>

By "not trusted" I mean not in the KEYS file, which is how Apache conveys that certain keys are trusted to make releases on behalf of the maven project.

Best Regards,
Evan

>
>
> Kind regards>
> Karl Heinz Marbaise>
>
> >>
> > This issue applies to at least the install plugin version 2.5.2 and the>
> > deploy plugin version 2.8.2.>
> >>
> > Best Regards,>
> > Evan>
> >>
> >>
> > [1] https://maven.apache.org/plugins/maven-deploy-plugin/download.cgi>
> > [2] https://www.apache.org/dist/maven/KEYS>
> >>
> >>
>
>
> --------------------------------------------------------------------->
> To unsubscribe, e-mail: [hidden email]>
> For additional commands, e-mail: [hidden email]>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]