ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pam Murphy" <>
Subject verifying Ant 1.6 beta2 src signature
Date Sat, 22 Nov 2003 21:07:12 GMT
I can't verify my download of Ant 1.6b2.  Downloaded the file, its accompanying .asc
file, the .md5 file, and its .asc file.  I also imported keys from
 The md5 sums match, but when I try to verify the and the .md5 file, I get

gpg: Signature made 10/16/03 18:14:17 using DSA key ID 265B4C63
gpg: Can't check signature: public key not found

I didn't see 265B4C63 when I did a --list-sigs.  I also searched for it
with no luck.  Finally, I did gpg --keyserver --recv-key 265B4C63 and got

gpg: no valid OpenPGP data found

I suspect that maybe that key is not part of the ant dist KEYS file because this is only a

Question 1:  Where can I get the key for 265B4C63?

Question 2:  Being a hopeless dreamer, I wonder:  why can't Ant (or any of the other Apache/Jakarta/XML
projects--I'm only picking on Ant because I use it the most) provide a page of what the verification
process should look like *for each particular release*?  Obviously a lot of good work went
into coding and documenting Ant.  Given that many close to Ant presumably go through the verification
process themselves, it would seem to be a timesaver as well as a useful point of reference
to have a 1 page listing of what someone trying to verify his or her Ant 1.6b2-src download
would see *exactly*.  Only a handful of steps are involved so the page could be fairly concise.
 And in this dreamworld, this step-by-step listing would be different from the Ant 1.6b2-bin
process, as well as being different from the Ant 1.6b1, Ant 1.5.x, Ant 1.7, Commons sub-projects,
Apache, Cocoon, etc., processes, because the projects weren't all signed by the exact same
people in the exact same order at the exact same time.

Question 3:  How feasible is the dream world fantasized above?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message