thx, I can verify 2.4.6rc2 now.
but 2.4.4 from website is still broken:
[jan ~/tmp] gpg --verify apache-empire-db-2.4.4-dist.zip.asc
gpg: Warning: using insecure memory!
gpg: assuming signed data in 'apache-empire-db-2.4.4-dist.zip'
gpg: Signature made Tue Aug 11 12:18:34 2015 CEST
gpg: using DSA key 593A1304AE64E518
gpg: BAD signature from "Francis De Brabandere <[email protected]>"
[unknown]
md5 & sha are also bad:
b735ed3a4f477d8f1a03c6de22c7b361 ./target/apache-empire-db-2.4.4-dist.zip
[jan ~/tmp] md5 apache-empire-db-2.4.4-dist.zip
MD5 (apache-empire-db-2.4.4-dist.zip) = 2ea5495d519307a7987fd08182c688ed
b46a4ea4feed1c2686c2ba2b6b0bf8c89ac21acf
./target/apache-empire-db-2.4.4-dist.zip
[jan ~/tmp] sha1 apache-empire-db-2.4.4-dist.zip
SHA1 (apache-empire-db-2.4.4-dist.zip) =
96f788b9dc564e607052903eb6e091f041ade075
are we sure nobody touched it...?
- jan
Zitat von Francis De Brabandere <[email protected]>:
@Jan, you can import the signature from the mit keyserver
gpg --keyserver pgpkeys.mit.edu --recv-key 0B5DFB51
@Rainer the KEYS file is still not updated
https://dist.apache.org/repos/dist/release/empire-db/KEYS
Cheers,
F
On 10 January 2017 at 08:39, Jan Glaubitz <[email protected]> wrote:
Hello Rainer,
SHA works now (but: maybe we should use at least SHA256?)
I'm still unable to verify the PGP signature.
- jan
Von meinem iPhone gesendet
> Am 10.01.2017 um 08:18 schrieb Rainer Döbele <[email protected]>:
>
> Hi Jan,
>
> you are absolutely right: instead of the sha hash the file contained the
md5 hash.
> I have corrected it now.
> Please check again.
>
> Regards
> Rainer
>
>> From: [email protected] [mailto:[email protected]]
>> To: [email protected]
>> Subject: Re: [VOTE] Release Apache Empire-db 2.4.6 (rc2)
>>
>> Hello Rainer,
>>
>> how did you create the sha sum? I cant validate its correct:
>>
>> [jan ~/tmp] sha1 apache-empire-db-2.4.6-dist.zip
>> SHA1 (apache-empire-db-2.4.6-dist.zip) =
>> 9d0f4e28334561e15458671b7b093b7b3cc5f9cb
>>
>> yours look a little bit short...?
>>
>>
>> Which key did you use to create the PGP signature? I can't verify with
they
>> KEYS file from the website:
>>
>> [jan ~/tmp] gpg --verify apache-empire-db-2.4.6-dist.zip.asc
>> gpg: Warning: using insecure memory!
>> gpg: assuming signed data in 'apache-empire-db-2.4.6-dist.zip'
>> gpg: Signature made Mon Jan 9 11:46:48 2017 CET
>> gpg: using RSA key 0279D7D50B5DFB51
>> gpg: Can't check signature: No public key
>>
>> - jan
>>
>> Zitat von Rainer Döbele <[email protected]>:
>>
>>> Hi all,
>>>
>>> Due to an incorrect distribution file I have cancelled rc1 and
>>> prepared a second release candidate for version 2.4.6.
>>> Please do all check and vote again on this release candidate.
>>>
>>> A list of all resolved issues for this release can be found here:
>>> https://issues.apache.org/jira/browse/EMPIREDB-
>> 250?jql=project%20%3D%2
>>> 0EMPIREDB%20AND%20fixVersion%20in%20(empire-db-
>> 2.4.6%2C%20empire-db-2.
>>>
>> 4.5)%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20create
>> d%20ASC
>>>
>>> Maven staging repository:
>>> https://repository.apache.org/content/repositories/orgapacheempire-db-
>>> 1004/
>>>
>>> The distribution files are located here:
>>> https://dist.apache.org/repos/dist/dev/empire-db/apache-empire-db-2.4.
>>> 6-rc2/
>>>
>>> The Rat report for the tag is available here:
>>> https://dist.apache.org/repos/dist/dev/empire-db/apache-empire-db-2.4.
>>> 6-rc2/rat.txt
>>>
>>> Vote open for 72 hours.
>>>
>>> [ ] +1
>>> [ ] +0
>>> [ ] -1
>>
>>
>
