I downloaded acegi-security-1.0.1.zip from the Minneapolis mirror. When I ran
jarsigner -verify -verbose -certs acegi-security-1.0.1.jar, I got the following message:
jar is unsigned. (signatures missing or not parsable)
I get the same result from the Phoenix mirror. Did someone forget to sign the jar, or is something fishy going on?