can't verify tarball
I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: $ gpg --import KEYS ... gpg: Total number processed: 42 gpg: imported: 41 (RSA: 4) gpg: unchanged: 1 gpg: no ultimately trusted keys found $ gpg --verify apache-maven-3.0.4-bin.tar.gz.asc apache-maven-3.0.4-bin.tar.gz gpg: Signature made Tue 17 Jan 2012 03:47:55 AM EST using DSA key ID B4372146 gpg: BAD signature from Olivier Lamy ol...@apache.org The md5 checksum also doesn't match. I get $ md5sum apache-maven-3.0.4-bin.tar.gz bc6559d120933c27534200d7dc9e0d39 apache-maven-3.0.4-bin.tar.gz and the download page says e513740978238cb9e4d482103751f6b7 Obviously I'm not using this tarball until I know what's up! Whose mistake and/or compromise? Jay Scott http://satirist.org/ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: can't verify tarball
Hi, Do you remember from which mirror you download tar.gz ? Can you try to download from archive site ? http://www.us.apache.org/dist/maven/binaries/ 2012/6/26 Jay Scott j...@mathforum.org: I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: $ gpg --import KEYS ... gpg: Total number processed: 42 gpg: imported: 41 (RSA: 4) gpg: unchanged: 1 gpg: no ultimately trusted keys found $ gpg --verify apache-maven-3.0.4-bin.tar.gz.asc apache-maven-3.0.4-bin.tar.gz gpg: Signature made Tue 17 Jan 2012 03:47:55 AM EST using DSA key ID B4372146 gpg: BAD signature from Olivier Lamy ol...@apache.org The md5 checksum also doesn't match. I get $ md5sum apache-maven-3.0.4-bin.tar.gz bc6559d120933c27534200d7dc9e0d39 apache-maven-3.0.4-bin.tar.gz and the download page says e513740978238cb9e4d482103751f6b7 Obviously I'm not using this tarball until I know what's up! Whose mistake and/or compromise? Jay Scott http://satirist.org/ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
RE: can't verify tarball
does Dick know? Date: Tue, 26 Jun 2012 16:43:13 -0400 From: j...@mathforum.org To: users@maven.apache.org Subject: can't verify tarball I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: $ gpg --import KEYS ... gpg: Total number processed: 42 gpg: imported: 41 (RSA: 4) gpg: unchanged: 1 gpg: no ultimately trusted keys found $ gpg --verify apache-maven-3.0.4-bin.tar.gz.asc apache-maven-3.0.4-bin.tar.gz gpg: Signature made Tue 17 Jan 2012 03:47:55 AM EST using DSA key ID B4372146 gpg: BAD signature from Olivier Lamy ol...@apache.org The md5 checksum also doesn't match. I get $ md5sum apache-maven-3.0.4-bin.tar.gz bc6559d120933c27534200d7dc9e0d39 apache-maven-3.0.4-bin.tar.gz and the download page says e513740978238cb9e4d482103751f6b7 Obviously I'm not using this tarball until I know what's up! Whose mistake and/or compromise? Jay Scott http://satirist.org/ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: can't verify tarball
On 06/26/2012 04:49 PM, Olivier Lamy wrote: Do you remember from which mirror you download tar.gz ? Hmm, I just clicked the link on http://maven.apache.org/download.html and got whatever I got. When I return to the page now the link is http://www.apache.org/dyn/closer.cgi/maven/binaries/apache-maven-3.0.4-bin.tar.gz which sounds like it's not telling me the ultimate source. Can you try to download from archive site ? http://www.us.apache.org/dist/maven/binaries/ Success: Signature verifies and md5 matches with that download. I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: ... Jay Scott http://satirist.org/ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: can't verify tarball
2012/6/26 Jay Scott j...@mathforum.org: On 06/26/2012 04:49 PM, Olivier Lamy wrote: Do you remember from which mirror you download tar.gz ? Hmm, I just clicked the link on http://maven.apache.org/download.html and got whatever I got. When I return to the page now the link is http://www.apache.org/dyn/closer.cgi/maven/binaries/apache-maven-3.0.4-bin.tar.gz Yup and some mirrors are proposed to you. It looks you used one with strange content. If you could report which mirror fail that could be lovely :-) which sounds like it's not telling me the ultimate source. Can you try to download from archive site ? http://www.us.apache.org/dist/maven/binaries/ Success: Signature verifies and md5 matches with that download. I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: ... Jay Scott http://satirist.org/ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: can't verify tarball
PS: Thanks, a fast and good answer! Jay Scott http://satirist.org/ On 06/26/2012 04:58 PM, Jay Scott wrote: On 06/26/2012 04:49 PM, Olivier Lamy wrote: Do you remember from which mirror you download tar.gz ? Hmm, I just clicked the link on http://maven.apache.org/download.html and got whatever I got. When I return to the page now the link is http://www.apache.org/dyn/closer.cgi/maven/binaries/apache-maven-3.0.4-bin.tar.gz which sounds like it's not telling me the ultimate source. Can you try to download from archive site ? http://www.us.apache.org/dist/maven/binaries/ Success: Signature verifies and md5 matches with that download. I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: ... - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: can't verify tarball
On 06/26/2012 05:01 PM, Olivier Lamy wrote: 2012/6/26 Jay Scott j...@mathforum.org: On 06/26/2012 04:49 PM, Olivier Lamy wrote: Do you remember from which mirror you download tar.gz ? Hmm, I just clicked the link on http://maven.apache.org/download.html and got whatever I got. When I return to the page now the link is http://www.apache.org/dyn/closer.cgi/maven/binaries/apache-maven-3.0.4-bin.tar.gz Yup and some mirrors are proposed to you. It looks you used one with strange content. If you could report which mirror fail that could be lovely :-) O! Now I think I know what went wrong! I saw .tar.gz at the end of the URL and right-clicked it and downloaded the list of mirrors instead of the file I wanted. It had the right filename and somehow I never noticed that the size was much too small. Sorry for the false alarm! But that list page should have a different URL, I'm sure I'm not the only one it has confused. Jay Scott http://satirist.org/ which sounds like it's not telling me the ultimate source. Can you try to download from archive site ? http://www.us.apache.org/dist/maven/binaries/ Success: Signature verifies and md5 matches with that download. I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and signature) and can't verify the signature. I grabbed KEYS from http://www.apache.org/dist/maven/KEYS and: ... - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org