search

carlossg / docker-maven

Official Docker image with Maven
Apache License 2.0
524 stars 423 forks source link

chore: maven 4.0.0 prebuilds #333

Open carlossg opened 1 year ago

carlossg commented 1 year ago

Looks like the gpg key used to sign 4.0.0 alpha is not in the apache maven KEYS file @bmarwell ?

# gpg: key D433A5AD: accepted non self-signed user ID "Benjamin Marwell <bmarwell@apache.org>"
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri Jan 27 15:39:00 2023 UTC using ? key ID 599C5736

and 

# + gpg --batch --import --quiet /tmp/KEYS
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri 27 Jan 2023 03:39:00 PM UTC
# gpg:                using EDDSA key 073F7A9345756F3B40CDB99E6C70A3B7599C5736
# gpg: Can't check signature: No public key
bmarwell commented 1 year ago

I don't remember creating a release! Will check back with the team.

gnodet commented 1 year ago

Looks like the gpg key used to sign 4.0.0 alpha is not in the apache maven KEYS file @bmarwell ?

# gpg: key D433A5AD: accepted non self-signed user ID "Benjamin Marwell <bmarwell@apache.org>"
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri Jan 27 15:39:00 2023 UTC using ? key ID 599C5736

and

# + gpg --batch --import --quiet /tmp/KEYS
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri 27 Jan 2023 03:39:00 PM UTC
# gpg:                using EDDSA key 073F7A9345756F3B40CDB99E6C70A3B7599C5736
# gpg: Can't check signature: No public key

Hey @carlossg ! My bad, it seems I forgot to add my signing key to the KEYS file. Let me fix that asap.

gnodet commented 1 year ago

Looks like the gpg key used to sign 4.0.0 alpha is not in the apache maven KEYS file @bmarwell ?

# gpg: key D433A5AD: accepted non self-signed user ID "Benjamin Marwell <bmarwell@apache.org>"
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri Jan 27 15:39:00 2023 UTC using ? key ID 599C5736

and

# + gpg --batch --import --quiet /tmp/KEYS
# + gpg --batch --verify apache-maven-4.0.0-alpha-4-bin.tar.gz.asc apache-maven-4.0.0-alpha-4-bin.tar.gz
# gpg: Signature made Fri 27 Jan 2023 03:39:00 PM UTC
# gpg:                using EDDSA key 073F7A9345756F3B40CDB99E6C70A3B7599C5736
# gpg: Can't check signature: No public key

Hey @carlossg ! My bad, it seems I forgot to add my signing key to the KEYS file. Let me fix that asap.

It should be fixed now.

carlossg commented 1 year ago

The problem now is that amazoncorretto and liberica are based on Centos 7 and have gpg 2.0 that doesn't support the signing key algorithm EDDSA used by @gnodet signature

gpg: Can't check signature: Invalid public key algorithm
bmarwell commented 1 year ago

I believe you need at least GnuPG 2.0.24 which was released in 2014. See this changelog: https://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html