I wonder if the apache foundation does not have something automatically performs these checks. Should not be that hard to implement.
On 10 January 2017 at 17:27, Jan Glaubitz <[email protected]> wrote: > ah, you’re right. I used curl to download, and since older released worked > (no proxy)… Everything’s good :) > > -jan > > > Am 10.01.2017 um 16:06 schrieb Francis De Brabandere < > [email protected]>: > > > > sure you did not right click and save the proxy selection page? > > > > On 10 January 2017 at 16:05, Francis De Brabandere <[email protected]> > > wrote: > > > >> Hmm, > >> > >> 2.4.4 dist works for me > >> > >> gpg --keyserver pgpkeys.mit.edu --recv-key AE64E518 > >> > >> gpg --verify apache-empire-db-2.4.4-dist.tar.gz.asc > >> gpg: assuming signed data in 'apache-empire-db-2.4.4-dist.tar.gz' > >> gpg: Signature made Tue Aug 11 12:18:34 2015 CEST using DSA key ID > AE64E518 > >> gpg: Good signature from "Francis De Brabandere <[email protected]>" > >> [ultimate] > >> > >> ➜ md5 apache-empire-db-2.4.4-dist.tar.gz > >> MD5 (apache-empire-db-2.4.4-dist.tar.gz) = > 2a461179e34afe0b2acaf9e42503e3 > >> 3f > >> ➜ cat apache-empire-db-2.4.4-dist.tar.gz.md5 > >> 2a461179e34afe0b2acaf9e42503e33f ./target/apache-empire-db-2. > >> 4.4-dist.tar.gz > >> ➜ openssl sha1 apache-empire-db-2.4.4-dist.tar.gz > >> SHA1(apache-empire-db-2.4.4-dist.tar.gz)= > fe9fd8d45332a7e4db0f4d444e0941 > >> d182c31116 > >> ➜ cat apache-empire-db-2.4.4-dist.tar.gz.sha > >> fe9fd8d45332a7e4db0f4d444e0941d182c31116 ./target/apache-empire-db-2. > >> 4.4-dist.tar.gz > >> > >> both sha and md5 match here for tar.gz > >> > >> same for zip > >> > >> ➜ cat apache-empire-db-2.4.4-dist.zip.sha > >> b46a4ea4feed1c2686c2ba2b6b0bf8c89ac21acf ./target/apache-empire-db-2. > >> 4.4-dist.zip > >> ➜ openssl sha1 apache-empire-db-2.4.4-dist.zip > >> SHA1(apache-empire-db-2.4.4-dist.zip)= b46a4ea4feed1c2686c2ba2b6b0bf8 > >> c89ac21acf > >> > >> > >> > >> > >> On 10 January 2017 at 15:52, <[email protected]> wrote: > >> > >>> thx, I can verify 2.4.6rc2 now. > >>> > >>> but 2.4.4 from website is still broken: > >>> > >>> [jan ~/tmp] gpg --verify apache-empire-db-2.4.4-dist.zip.asc > >>> gpg: Warning: using insecure memory! > >>> gpg: assuming signed data in 'apache-empire-db-2.4.4-dist.zip' > >>> gpg: Signature made Tue Aug 11 12:18:34 2015 CEST > >>> gpg: using DSA key 593A1304AE64E518 > >>> gpg: BAD signature from "Francis De Brabandere <[email protected]>" > >>> [unknown] > >>> > >>> md5 & sha are also bad: > >>> > >>> b735ed3a4f477d8f1a03c6de22c7b361 ./target/apache-empire-db-2.4. > >>> 4-dist.zip > >>> > >>> [jan ~/tmp] md5 apache-empire-db-2.4.4-dist.zip > >>> MD5 (apache-empire-db-2.4.4-dist.zip) = 2ea5495d519307a7987fd08182c688 > ed > >>> > >>> b46a4ea4feed1c2686c2ba2b6b0bf8c89ac21acf > ./target/apache-empire-db-2.4. > >>> 4-dist.zip > >>> > >>> [jan ~/tmp] sha1 apache-empire-db-2.4.4-dist.zip > >>> SHA1 (apache-empire-db-2.4.4-dist.zip) = > 96f788b9dc564e607052903eb6e091 > >>> f041ade075 > >>> > >>> are we sure nobody touched it...? > >>> > >>> - jan > >>> > >>> Zitat von Francis De Brabandere <[email protected]>: > >>> > >>> > >>> @Jan, you can import the signature from the mit keyserver > >>>> gpg --keyserver pgpkeys.mit.edu --recv-key 0B5DFB51 > >>>> > >>>> @Rainer the KEYS file is still not updated > >>>> https://dist.apache.org/repos/dist/release/empire-db/KEYS > >>>> > >>>> Cheers, > >>>> F > >>>> > >>>> > >>>> > >>>> On 10 January 2017 at 08:39, Jan Glaubitz <[email protected]> wrote: > >>>> > >>>> Hello Rainer, > >>>>> > >>>>> SHA works now (but: maybe we should use at least SHA256?) > >>>>> > >>>>> I'm still unable to verify the PGP signature. > >>>>> > >>>>> - jan > >>>>> > >>>>> Von meinem iPhone gesendet > >>>>> > >>>>>> Am 10.01.2017 um 08:18 schrieb Rainer Döbele <[email protected]>: > >>>>>> > >>>>>> Hi Jan, > >>>>>> > >>>>>> you are absolutely right: instead of the sha hash the file contained > >>>>> the > >>>>> md5 hash. > >>>>>> I have corrected it now. > >>>>>> Please check again. > >>>>>> > >>>>>> Regards > >>>>>> Rainer > >>>>>> > >>>>>>> From: [email protected] [mailto:[email protected]] > >>>>>>> To: [email protected] > >>>>>>> Subject: Re: [VOTE] Release Apache Empire-db 2.4.6 (rc2) > >>>>>>> > >>>>>>> Hello Rainer, > >>>>>>> > >>>>>>> how did you create the sha sum? I cant validate its correct: > >>>>>>> > >>>>>>> [jan ~/tmp] sha1 apache-empire-db-2.4.6-dist.zip > >>>>>>> SHA1 (apache-empire-db-2.4.6-dist.zip) = > >>>>>>> 9d0f4e28334561e15458671b7b093b7b3cc5f9cb > >>>>>>> > >>>>>>> yours look a little bit short...? > >>>>>>> > >>>>>>> > >>>>>>> Which key did you use to create the PGP signature? I can't verify > >>>>> with > >>>>> they > >>>>>>> KEYS file from the website: > >>>>>>> > >>>>>>> [jan ~/tmp] gpg --verify apache-empire-db-2.4.6-dist.zip.asc > >>>>>>> gpg: Warning: using insecure memory! > >>>>>>> gpg: assuming signed data in 'apache-empire-db-2.4.6-dist.zip' > >>>>>>> gpg: Signature made Mon Jan 9 11:46:48 2017 CET > >>>>>>> gpg: using RSA key 0279D7D50B5DFB51 > >>>>>>> gpg: Can't check signature: No public key > >>>>>>> > >>>>>>> - jan > >>>>>>> > >>>>>>> Zitat von Rainer Döbele <[email protected]>: > >>>>>>> > >>>>>>>> Hi all, > >>>>>>>> > >>>>>>>> Due to an incorrect distribution file I have cancelled rc1 and > >>>>>>>> prepared a second release candidate for version 2.4.6. > >>>>>>>> Please do all check and vote again on this release candidate. > >>>>>>>> > >>>>>>>> A list of all resolved issues for this release can be found here: > >>>>>>>> https://issues.apache.org/jira/browse/EMPIREDB- > >>>>>>> 250?jql=project%20%3D%2 > >>>>>>>> 0EMPIREDB%20AND%20fixVersion%20in%20(empire-db- > >>>>>>> 2.4.6%2C%20empire-db-2. > >>>>>>>> > >>>>>>> 4.5)%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20create > >>>>>>> d%20ASC > >>>>>>>> > >>>>>>>> Maven staging repository: > >>>>>>>> https://repository.apache.org/content/repositories/orgapache > >>>>> empire-db- > >>>>>>>> 1004/ > >>>>>>>> > >>>>>>>> The distribution files are located here: > >>>>>>>> https://dist.apache.org/repos/dist/dev/empire-db/apache-empi > >>>>> re-db-2.4. > >>>>>>>> 6-rc2/ > >>>>>>>> > >>>>>>>> The Rat report for the tag is available here: > >>>>>>>> https://dist.apache.org/repos/dist/dev/empire-db/apache-empi > >>>>> re-db-2.4. > >>>>>>>> 6-rc2/rat.txt > >>>>>>>> > >>>>>>>> Vote open for 72 hours. > >>>>>>>> > >>>>>>>> [ ] +1 > >>>>>>>> [ ] +0 > >>>>>>>> [ ] -1 > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>> > >>> > >>> > >> > >
