[jira] [Created] (XMLBEANS-558) Download page gpg example needs second parameter

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (XMLBEANS-558) Download page gpg example needs second parameter

PJ Fanning (Jira)
Sebb created XMLBEANS-558:
-----------------------------

             Summary:  Download page gpg example needs second parameter
                 Key: XMLBEANS-558
                 URL: https://issues.apache.org/jira/browse/XMLBEANS-558
             Project: XMLBeans
          Issue Type: Bug
            Reporter: Sebb


It is important that the file being checked is also specified [1] on the gpg command line [2]

If the second paramater is omitted, gpg can report success without actually checking the main artifact. This should not happen on correctly constructed ASF downloads, as we only provide detached sigs, but we should not be documenting bad practise.

Note: the first example is correct, but the sample verification sequence omits the second parameter in:

gpg --verify xmlbeans-bin-3.1.0.tgz.asc

[1] https://www.apache.org/info/verification.html#specify_both
[2] https://xmlbeans.apache.org/download/



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]