Invalid signatures for jackson-jaxrs-base and jackson-jaxrs-json-provider 2.12.2 POM on Maven Central

[joschi]

The signatures for the jackson-jaxrs-base 2.12.2 POM on Maven Central don't seem to match the uploaded signatures. The SHA-1 checksum on the other hand is matching the artifact:

# wget --quiet https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.pom https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.pom.asc https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.pom.sha1

# sha1sum -c <<< "$(cat jackson-jaxrs-base-2.12.2.pom.sha1)  jackson-jaxrs-base-2.12.2.pom"
jackson-jaxrs-base-2.12.2.pom: OK

# LANG=C gpg --verify jackson-jaxrs-base-2.12.2.pom.asc jackson-jaxrs-base-2.12.2.pom
gpg: Signature made Wed Mar  3 23:55:19 2021 CET
gpg:                using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <tatu.saloranta@iki.fi>" [unknown]

The other artifacts (JAR, sources, Javadoc) have a valid signature.

# wget --quiet https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.jar https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.jar.asc https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.12.2/jackson-jaxrs-base-2.12.2.jar.sha1

# sha1sum -c <<< "$(cat jackson-jaxrs-base-2.12.2.jar.sha1)  jackson-jaxrs-base-2.12.2.jar"
jackson-jaxrs-base-2.12.2.jar: OK

# LANG=C gpg --verify jackson-jaxrs-base-2.12.2.jar.asc jackson-jaxrs-base-2.12.2.jar
gpg: Signature made Wed Mar  3 23:55:19 2021 CET
gpg:                using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: Good signature from "Tatu Saloranta (cowtowncoder) <tatu.saloranta@iki.fi>" [unknown]
gpg:                 aka "Tatu Saloranta <tatu.saloranta@iki.fi>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8A10 7929 8302 3D5D 14C9  3B48 8D7F 1BEC 1E2E CAE7

Refs https://github.com/dropwizard/dropwizard/pull/3753

[joschi]

Same seems to be true for the POM of jackson-jaxrs-json-provider 2.12.2.

# wget --quiet https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom.asc https://repo1.maven.org/maven2/com/fasterxml/jackson/jaxrs/jackson-jaxrs-json-provider/2.12.2/jackson-jaxrs-json-provider-2.12.2.pom.sha1

# sha1sum -c <<< "$(cat jackson-jaxrs-json-provider-2.12.2.pom.sha1)  jackson-jaxrs-json-provider-2.12.2.pom"
jackson-jaxrs-json-provider-2.12.2.pom: OK

# LANG=C gpg --verify jackson-jaxrs-json-provider-2.12.2.pom.asc jackson-jaxrs-json-provider-2.12.2.pom
gpg: Signature made Wed Mar  3 23:55:34 2021 CET
gpg:                using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7
gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <tatu.saloranta@iki.fi>" [unknown]

[cowtowncoder]

While unfortunate, I think this may be resolved by my uploading of more key metadata; assuming resolved.