faq

This is a FAQ for the maven repo PGP signature checker.

questions and answers

1. Q: What's a FAQ ?

   A: A FAQ is a list of Frequently Asked Questions (and answers) ; see FAQ on wikipedia.

2. Q: What does the checker do ?

   A: The checker looks in the maven repo at artifacts that are less than four weeks old ;
   it checks that a PGP signature (.asc) exists and, if so, verifies it.

3. Q: Which artifacts must be signed ?

   A: All the .jar, .pom, .tar.gz and .zip files.

4. Q: Public key not found ? Where does the checker look for keys ?

   A: The checker looks for keys in /www/people.apache.org/keys/committer/

   • If your key is missing, you should add your public pgp key using id.apache.org

   • Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
     on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
   • Look at /home/henkp/.pgpkey for an example.
   • Never, never store your private pgp key on people.apache.org

5. Q: How often is the repo checked ?

   A: Twice a day.

6. Q: Where does it say repo artifacts have to be signed ?

   A: See the ASF policy on release signing.

7. Q: How do I provide PGP signatures ?

   A: Use a release profile that includes the pgp plugin. The one used for maven components is discussed in Releasing A Maven Project ;
   for geronimo see geronimo-server-release-process. There are plenty of other examples at apache. [Thanks to David Jencks for providing this answer]

8. Q: How can a package and/or signature be BAD ?

   A: The combination of a file XXX and a signature file XXX.asc is BAD if

     gpg --verify XXX.asc XXX
   

   says it is a bad signature ; XXX and XXX.asc don't belong together.
   • For the repo a bad signature is reason for concern, and should be investigated,
     especially if XXX and XXX.asc did belong together in the past.
   • Perhaps someone maliciously changed file XXX.
   • Sometimes we have, indeed, a bad signature, but we may also have a bad file.

   A bad signature should be investigated and fixed as soon as possible.

comments

• Clement Escoffier <clement.escoffier.at.gmail.com> writes:

  The bad signatures come from a maven issue.
  
  When launched with mvn gpg:sign the plug-in generates
  a bad signature for the first artifact (in fact, it seems
  it generates a valid key only for the last one).
  
  To turn around this issue, you need to add the following
  configuration in your pom file:
  
     <plugin>
     <groupId>org.apache.maven.plugins</groupId>
     <artifactId>maven-gpg-plugin</artifactId>
     <executions>
      <execution>
        <id>sign-artifacts</id>
        <phase>verify</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
     </executions>
     </plugin>
  
  In this case, the signature seems valid.