Closed joschi closed 3 years ago
Same seems to be true for the POM of jackson-jaxrs-json-provider 2.12.2.
# wget --quiet https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom.asc https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom.sha1
# sha1sum -c <<< "$(cat jackson-jaxrs-json-provider-2.12.2.pom.sha1) jackson-jaxrs-json-provider-2.12.2.pom"
jackson-jaxrs-json-provider-2.12.2.pom: OK
# LANG=C gpg --verify jackson-jaxrs-json-provider-2.12.2.pom.asc jackson-jaxrs-json-provider-2.12.2.pom
gpg: Signature made Wed Mar 3 23:55:34 2021 CET
gpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <tatu.saloranta@iki.fi>" [unknown]
While unfortunate, I think this may be resolved by my uploading of more key metadata; assuming resolved.
The signatures for the jackson-jaxrs-base 2.12.2 POM on Maven Central don't seem to match the uploaded signatures. The SHA-1 checksum on the other hand is matching the artifact:
The other artifacts (JAR, sources, Javadoc) have a valid signature.
Refs https://github.com/dropwizard/dropwizard/pull/3753