search

janino-compiler / janino

Janino is a super-small, super-fast Java™ compiler.
http://janino-compiler.github.io/janino
Other
1.21k stars 205 forks source link

Verification of new signing key #194

Closed iay closed 10 months ago

iay commented 1 year ago

In #164, a colleague of mine asked for your package signing keys to be made available for external verification and you did so. This was when 3.1.6 was current, and you had two keys in use up to that point:

pub   rsa2048 2014-07-03 [SC]
      1EAD07B862D1D9ADD57BB4A358FE9D80369755E0
uid           [ unknown] Arno Unkrig <aunkrig@codehaus.org>
sub   rsa2048 2014-07-03 [E]

pub   rsa2048 2016-07-26 [SC]
      37D75E23E6B6A6C573C9AE6FDFBF27530B637783
uid           [ unknown] Arno Unkrig <unkrig.arno@swm.de>
sig 3        DFBF27530B637783 2016-07-26  Arno Unkrig <unkrig.arno@swm.de>
sub   rsa2048 2016-07-26 [E]
sig          DFBF27530B637783 2016-07-26  Arno Unkrig <unkrig.arno@swm.de>

Those are now linked from the project page; thanks for that.

I've been looking into updating to the latest version, currently 3.1.9, and it looks like that has been signed by a third key:

pub   rsa2048 2018-10-29 [SC]
      EA7C889D7002FC37CC849EBC915D0B56942B9F75
uid           [ unknown] Arno Unkrig <arno@unkrig.de>
sig 3        915D0B56942B9F75 2018-10-29  Arno Unkrig <arno@unkrig.de>
sub   rsa2048 2018-10-29 [E]
sig          915D0B56942B9F75 2018-10-29  Arno Unkrig <arno@unkrig.de>

Can you confirm that this third key should also be accepted for signing org.codehaus.janino packages? It would be ideal if you could link that to the project page as well.

aunkrig commented 11 months ago

Done; please verify. Sorry for the delay!

iay commented 11 months ago

I have verified that the key you added allows us to build with the latest (3.1.10). Many thanks!

aunkrig commented 10 months ago

You are welcome! Sorry for the inconvenience.