[jira] [Updated] (TIKA-2003) Tika 1.13 gpg signature not validating.

STEPHEN DURHAM (JIRA) Mon, 13 Jun 2016 09:06:06 -0700

     [ 
https://issues.apache.org/jira/browse/TIKA-2003?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


STEPHEN DURHAM updated TIKA-2003:
---------------------------------
    Description: 
I am using Tika via the logicalspark/docker-tikaserver instance and I noticed 
that the latest update to 1.13 failed the build process for the docker instance 
due to a bad signature. I took the
 steps outlined below to make sure that this was actually an issue before 
submitting the ticket.

There is a related issue from a few years back, same RSA key 0EB30B07. The 
ticket is 1345.

Thanks in advance for any assistance with this issue.

-Stephen

First I tested with the Docker instance. I cloned the 
logicalspark/docker-tikaserver repo and attempted the docker build locally. The 
build encountered the following error:
{noformat}
gpg: Signature made Mon May  9 17:34:48 2016 UTC using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}

I then tested locally. With no keys other than those contained in tika.asc
{noformat}
wget https://people.apache.org/keys/group/tika.asc
wget http://apache.mirrors.tds.net/tika/tika-server-1.13.jar
wget https://www.apache.org/dist/tika/tika-server-1.13.jar.asc
{noformat}

Then I verified the MD5 sum matches the download page.
{noformat}
md5 tika-server-1.13.jar
MD5 (tika-server-1.13.jar) = 155bec7b7cb25b22effa99db1fb8e233
{noformat}

Next I verified the signature following the steps on the download page.
1. Import the Keys.
{noformat}
gpg --import tika.asc
gpg: /Users/stephen/.gnupg/trustdb.gpg: trustdb created
gpg: key B876884A: public key "Chris Mattmann (CODE SIGNING KEY)" imported
gpg: key 6ED9BE21: public key "Bob Paulin (CODE SIGNING KEY)" imported
gpg: key 0890B1AB: public key "Konstantin Gribov (gross)" imported
gpg: key 6E68DA61: public key "Michael McCandless (CODE SIGNING KEY)" imported
gpg: key A355A63E: public key "Jukka Zitting" imported
gpg: key 8A26D9A6: public key "Jukka Zitting" imported
gpg: key 42CFAE07: public key "Jukka Zitting (CODE SIGNING KEY)" imported
gpg: key 95D21F2E: public key "Ray Gauss II (CODE SIGNING KEY)" imported
gpg: key D4F10117: public key "Tyler Palsulich" imported
gpg: key DEDEAB92: public key "Sergey Beryozkin (Release Management)" imported
gpg: key 97EDDE66: public key "tallison (apache_distro_keys)" imported
gpg: key 48BAEBF6: public key "Lewis John McGibbney (CODE SIGNING KEY)" imported
gpg: key D84E41AE: public key "Nick Burch" imported
gpg: Total number processed: 13
gpg:               imported: 13  (RSA: 8)
gpg: no ultimately trusted keys found
{noformat}
2. Verify the signature.
{noformat}
gpg --verify tika-server-1.13.jar.asc
gpg: assuming signed data in `tika-server-1.13.jar'
gpg: Signature made Mon May  9 12:34:48 2016 CDT using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}


  was:
I am using Tika via the logicalspark/docker-tikaserver instance and I noticed 
that the latest update to 1.13 failed the build process for the docker instance 
due to a bad signature. I took some steps outlined below to make sure that this 
was actually an issue before submitting the ticket.

There is a related issue from a few years back, same RSA key 0EB30B07. The 
ticket is 1345.

Thanks in advance for any assistance with this issue.

-Stephen

First I tested with the Docker instance. I cloned the 
logicalspark/docker-tikaserver repo and attempted the docker build locally. The 
build encountered the following error:
{noformat}
gpg: Signature made Mon May  9 17:34:48 2016 UTC using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}

I then tested locally. With no keys other than those contained in tika.asc
{noformat}
wget https://people.apache.org/keys/group/tika.asc
wget http://apache.mirrors.tds.net/tika/tika-server-1.13.jar
wget https://www.apache.org/dist/tika/tika-server-1.13.jar.asc
{noformat}

Then I verified the MD5 sum matches the download page.
{noformat}
md5 tika-server-1.13.jar
MD5 (tika-server-1.13.jar) = 155bec7b7cb25b22effa99db1fb8e233
{noformat}

Next I verified the signature following the steps on the download page.
1. Import the Keys.
{noformat}
gpg --import tika.asc
gpg: /Users/stephen/.gnupg/trustdb.gpg: trustdb created
gpg: key B876884A: public key "Chris Mattmann (CODE SIGNING KEY)" imported
gpg: key 6ED9BE21: public key "Bob Paulin (CODE SIGNING KEY)" imported
gpg: key 0890B1AB: public key "Konstantin Gribov (gross)" imported
gpg: key 6E68DA61: public key "Michael McCandless (CODE SIGNING KEY)" imported
gpg: key A355A63E: public key "Jukka Zitting" imported
gpg: key 8A26D9A6: public key "Jukka Zitting" imported
gpg: key 42CFAE07: public key "Jukka Zitting (CODE SIGNING KEY)" imported
gpg: key 95D21F2E: public key "Ray Gauss II (CODE SIGNING KEY)" imported
gpg: key D4F10117: public key "Tyler Palsulich" imported
gpg: key DEDEAB92: public key "Sergey Beryozkin (Release Management)" imported
gpg: key 97EDDE66: public key "tallison (apache_distro_keys)" imported
gpg: key 48BAEBF6: public key "Lewis John McGibbney (CODE SIGNING KEY)" imported
gpg: key D84E41AE: public key "Nick Burch" imported
gpg: Total number processed: 13
gpg:               imported: 13  (RSA: 8)
gpg: no ultimately trusted keys found
{noformat}
2. Verify the signature.
{noformat}
gpg --verify tika-server-1.13.jar.asc
gpg: assuming signed data in `tika-server-1.13.jar'
gpg: Signature made Mon May  9 12:34:48 2016 CDT using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}



> Tika 1.13 gpg signature not validating.
> ---------------------------------------
>
>                 Key: TIKA-2003
>                 URL: https://issues.apache.org/jira/browse/TIKA-2003
>             Project: Tika
>          Issue Type: Bug
>            Reporter: STEPHEN DURHAM
>
> I am using Tika via the logicalspark/docker-tikaserver instance and I noticed 
> that the latest update to 1.13 failed the build process for the docker 
> instance due to a bad signature. I took the
>  steps outlined below to make sure that this was actually an issue before 
> submitting the ticket.
> There is a related issue from a few years back, same RSA key 0EB30B07. The 
> ticket is 1345.
> Thanks in advance for any assistance with this issue.
> -Stephen
> First I tested with the Docker instance. I cloned the 
> logicalspark/docker-tikaserver repo and attempted the docker build locally. 
> The build encountered the following error:
> {noformat}
> gpg: Signature made Mon May  9 17:34:48 2016 UTC using RSA key ID 0EB30B07
> gpg: Can't check signature: public key not found
> {noformat}
> I then tested locally. With no keys other than those contained in tika.asc
> {noformat}
> wget https://people.apache.org/keys/group/tika.asc
> wget http://apache.mirrors.tds.net/tika/tika-server-1.13.jar
> wget https://www.apache.org/dist/tika/tika-server-1.13.jar.asc
> {noformat}
> Then I verified the MD5 sum matches the download page.
> {noformat}
> md5 tika-server-1.13.jar
> MD5 (tika-server-1.13.jar) = 155bec7b7cb25b22effa99db1fb8e233
> {noformat}
> Next I verified the signature following the steps on the download page.
> 1. Import the Keys.
> {noformat}
> gpg --import tika.asc
> gpg: /Users/stephen/.gnupg/trustdb.gpg: trustdb created
> gpg: key B876884A: public key "Chris Mattmann (CODE SIGNING KEY)" imported
> gpg: key 6ED9BE21: public key "Bob Paulin (CODE SIGNING KEY)" imported
> gpg: key 0890B1AB: public key "Konstantin Gribov (gross)" imported
> gpg: key 6E68DA61: public key "Michael McCandless (CODE SIGNING KEY)" imported
> gpg: key A355A63E: public key "Jukka Zitting" imported
> gpg: key 8A26D9A6: public key "Jukka Zitting" imported
> gpg: key 42CFAE07: public key "Jukka Zitting (CODE SIGNING KEY)" imported
> gpg: key 95D21F2E: public key "Ray Gauss II (CODE SIGNING KEY)" imported
> gpg: key D4F10117: public key "Tyler Palsulich" imported
> gpg: key DEDEAB92: public key "Sergey Beryozkin (Release Management)" imported
> gpg: key 97EDDE66: public key "tallison (apache_distro_keys)" imported
> gpg: key 48BAEBF6: public key "Lewis John McGibbney (CODE SIGNING KEY)" 
> imported
> gpg: key D84E41AE: public key "Nick Burch" imported
> gpg: Total number processed: 13
> gpg:               imported: 13  (RSA: 8)
> gpg: no ultimately trusted keys found
> {noformat}
> 2. Verify the signature.
> {noformat}
> gpg --verify tika-server-1.13.jar.asc
> gpg: assuming signed data in `tika-server-1.13.jar'
> gpg: Signature made Mon May  9 12:34:48 2016 CDT using RSA key ID 0EB30B07
> gpg: Can't check signature: public key not found
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (TIKA-2003) Tika 1.13 gpg signature not validating.

Reply via email to