does Dick know?
> Date: Tue, 26 Jun 2012 16:43:13 -0400 > From: j...@mathforum.org > To: users@maven.apache.org > Subject: can't verify tarball > > I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and > signature) and can't verify the signature. I grabbed KEYS from > http://www.apache.org/dist/maven/KEYS and: > > $ gpg --import KEYS > ... > gpg: Total number processed: 42 > gpg: imported: 41 (RSA: 4) > gpg: unchanged: 1 > gpg: no ultimately trusted keys found > $ gpg --verify apache-maven-3.0.4-bin.tar.gz.asc > apache-maven-3.0.4-bin.tar.gz > gpg: Signature made Tue 17 Jan 2012 03:47:55 AM EST using DSA key ID > B4372146 > gpg: BAD signature from "Olivier Lamy <ol...@apache.org>" > > The md5 checksum also doesn't match. I get > > $ md5sum apache-maven-3.0.4-bin.tar.gz > bc6559d120933c27534200d7dc9e0d39 apache-maven-3.0.4-bin.tar.gz > > and the download page says e513740978238cb9e4d482103751f6b7 > > Obviously I'm not using this tarball until I know what's up! Whose > mistake and/or compromise? > > Jay Scott > http://satirist.org/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org >