Tom Zeller opened SPR-15623 and commented

Some Spring Framework 4.3.8 JARs have bad signatures - or maybe I'm just doing it wrong.

Is the proper fingerprint published in GitHub somewhere ?

For example, bad signature for spring-core-4.3.8.RELEASE.jar :

wget http://repo1.maven.org/maven2/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.jar
wget http://repo1.maven.org/maven2/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.jar.asc

or

https://repo.spring.io/release/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.jar
https://repo.spring.io/release/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.jar.asc

gpg --verify spring-core-4.3.8.RELEASE.jar.asc
gpg: assuming signed data in 'spring-core-4.3.8.RELEASE.jar'
gpg: Signature made Tue Apr 18 10:27:31 2017 CDT using RSA key ID D401AB61
gpg: BAD signature from "Bintray (by JFrog) [email protected]" [unknown]

But a good signature for spring-core-4.3.8.RELEASE.pom :

wget http://repo1.maven.org/maven2/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.pom
wget http://repo1.maven.org/maven2/org/springframework/spring-core/4.3.8.RELEASE/spring-core-4.3.8.RELEASE.pom.asc

gpg --verify spring-core-4.3.8.RELEASE.pom.asc
gpg: assuming signed data in 'spring-core-4.3.8.RELEASE.pom'
gpg: Signature made Tue Apr 18 10:27:23 2017 CDT using RSA key ID D401AB61
gpg: Good signature from "Bintray (by JFrog) [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8756 C4F7 65C9 AC3C B6B8 5D62 379C E192 D401 AB61

Imported new signing key for 4.3.8 via :

gpg --keyserver hkp://pool.sks-keyservers.net --search-keys 0x379CE192D401AB61

For reference, here's 4.3.7 :

gpg --verify spring-core-4.3.7.RELEASE.pom.asc
gpg: Signature made Mon 20 Mar 2017 11:41:37 AM EDT using RSA key ID E457C53D
gpg: Good signature from "Spring Buildmaster [email protected]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E2AC B037 933C DEAA B7BF 77D4 9A2C 7A98 E457 C53D

and 4.3.6, whose key was revoked :

gpg --verify spring-core-4.3.6.RELEASE.pom.asc
gpg: Signature made Wed 25 Jan 2017 09:09:05 AM EST using DSA key ID 93185045
gpg: Good signature from "Spring Buildmaster [email protected]"
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key has been compromised
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 73FE 03B9 CB49 3113 DB54 89DE 23EF 3D2F 9318 5045

Affects: 4.3.8