GPG signatures on http://repo.jenkins-ci.org/ incorrect?
Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?
gpg --verify jenkins-war-1.651.1.war.asc jenkins-war-1.651.1.war gpg: Signature made Thu 14 Apr 2016 01:05:31 AM EDT using DSA key ID D50582E6 gpg: BAD signature from "Kohsuke Kawaguchi <[hidden email]>"
The files seem ok according to the sha1 files as well.
On Friday, April 22, 2016 at 6:03:08 PM UTC-4, Daniel Beck wrote:
> Is anyone else aware that the GPG signatures seem to be faulty on the repo? Or am I not verifying them correctly?
You're right. Something's wrong with KK's machine doing the signing (his local Maven repo is affected as well). I'm filing INFRA issues so we get this fixed.
Note that `jarsigner --verify` still works, so there's still a code integrity check you can do.
Great thanks for following up and letting me know about jarsigner as a workaround for now.