maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anders Hammar (JIRA)" <>
Subject [jira] Created: (MEV-653) Invalid signatures at central
Date Thu, 11 Mar 2010 07:40:55 GMT
Invalid signatures at central

                 Key: MEV-653
             Project: Maven Evangelism
          Issue Type: Bug
            Reporter: Anders Hammar

The signatures for these poms are invalid. This causes issues when setting up environments
that verify the signatures and is not good as all Apache artifacts is supposed to be signed
as I understand it. This pom is used as a parent by some artifacts which many Maven plugins
use. Here's an example:

maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has maven:2.0.6 as parent.

I asked Jason van Zyl about this as it is (supposedly) he who signed and he says he lost that
key and revoked it. Hence the signature should fail. However, the weird thing is that org.apache.maven:maven-script:2.0.6
was signed with the same key about the same time (part of the same release?) and that signature
is reported ok.

I'd happily work with you to solve this. There are possibly more artifacts with invalid signatures.
However, I have to admit that I am no pgp expert.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message