Skip to content

PGP key for the jwks-rsa package not found on the keyserver #205

Open
Open
PGP key for the jwks-rsa package not found on the keyserver#205
Labels
bugThis points to a verified bug in the code
@NikoLehtovirta

Description

@NikoLehtovirta
NikoLehtovirta
opened on Feb 19, 2025

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

With the recent update to com.auth0.java-jwt to keys have been rotated and currently the jwks-rsa package looks to be using the same key causing the PGP verification to fail during the install step. While the issue was solved for the com.auth0.java-jwt by updating it to 4.5.0 version the jwks-rsa package has not received any update which means there isn't any way to solve the issue until new release is made using new key.

Here are the key PGP info to show the issue using the pgpverify-maven-plugin:

com.auth0.java-jwt:4.5.0

Artifact:
        groupId:     com.auth0
        artifactId:  java-jwt
        type:        jar
        version:     4.5.0

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x09C6FCE6AACD67E3
        create date: Wed Jan 29 16:38:44 EET 2025
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0xAC3F8C3B82B7990EE0EB32C009C6FCE6AACD67E3
        create date: Fri Oct 27 15:04:13 EEST 2023
        uids:        [Auth0 <support@auth0.com>]

com.auth0.java-jwt:4.4.0

Artifact:
        groupId:     com.auth0
        artifactId:  java-jwt
        type:        jar
        version:     4.4.0

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x7C579522A12B1443
        create date: Fri Mar 31 21:33:04 EEST 2023
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0x0984FA32B926C76FE624E2157C579522A12B1443
        create date: Fri Jan 06 01:44:35 EET 2023
        uids:        []

com.auth0.jwks-rsa:0.22.1

Artifact:
        groupId:     com.auth0
        artifactId:  jwks-rsa
        type:        jar
        version:     0.22.1

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x7C579522A12B1443
        create date: Fri Jul 28 15:26:41 EEST 2023
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0x0984FA32B926C76FE624E2157C579522A12B1443
        create date: Fri Jan 06 01:44:35 EET 2023
        uids:        []

Reproduction

  1. Install the pgpverify-maven-plugin:
  2. Add jwks-rsa as dependency.
  3. See the error com.auth0:jwks-rsa:jar:0.22.1 PGP key 0x7C579522A12B1443 not found on keyserver

Additional context

No response

jwks-rsa version

0.22.1

Java version

11

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis points to a verified bug in the code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions