RE: Netbeans 11 - Integrity of the release
Ok, thanks. Eduardo Quintanilla Software Developer From: Emilian Bold Sent: miércoles, 22 de mayo de 2019 11:23 a. m. To: Eduardo Quintanilla Cc: users@netbeans.apache.org Subject: Re: Netbeans 11 - Integrity of the release That warning says there is no chain of trust to the key. But considering you got the key from https://www.apache.org/dist/incubator/netbeans/KEYS you can ignore that warning. --emi On Wed, May 22, 2019 at 5:23 PM Eduardo Quintanilla mailto:equintani...@bnext.mx>> wrote: Hi, I downloaded Netbeans 11[1] and got an error when verifying the signature[3] of the downloaded zip. I got the KEYS from [2]. [1] - https://us.mirrors.quenda.co/apache/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-bin.zip [2] - https://www.apache.org/dist/incubator/netbeans/KEYS [3] - https://www.apache.org/dist/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-source.zip.asc I opened a Command Line in Windows 10 and executed GnuPG for Windows version 2.2.11: gpg --import KEYS.txt gpg --verify incubating-netbeans-11.0-source.zip.asc.txt incubating-netbeans-11.0-bin.zip Output: gpg: Signature made 03/20/19 02:27:54 Central Standard Time (Mexico) gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D gpg: BAD signature from "Laszlo Kishalmi (CODE SIGNING KEY) mailto:lkisha...@apache.org>>" [unknown] Is the validation process correct? Is there an error with the KEYS or the downloaded file? Best regards, Eduardo Quintanilla Software Developer The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La información transmitida está destinada únicamente a la persona o entidad a quien que va dirigida y puede contener información confidencial y/o material privilegiado. Cualquier revisión, retransmisión, difusión u otros usos, o cualquier acción tomada por personas o entidades distintas al destinatario basándose en esta información está prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La información transmitida está destinada únicamente a la persona o entidad a quien que va dirigida y puede contener información confidencial y/o material privilegiado. Cualquier revisión, retransmisión, difusión u otros usos, o cualquier acción tomada por personas o entidades distintas al destinatario basándose en esta información está prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora.
Re: Netbeans 11 - Integrity of the release
That warning says there is no chain of trust to the key. But considering you got the key from https://www.apache.org/dist/incubator/netbeans/KEYS you can ignore that warning. --emi On Wed, May 22, 2019 at 5:23 PM Eduardo Quintanilla wrote: > Hi, > > > > I downloaded Netbeans 11[1] and got an error when verifying the > signature[3] of the downloaded zip. > > I got the KEYS from [2]. > > > > [1] - > https://us.mirrors.quenda.co/apache/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-bin.zip > > [2] - https://www.apache.org/dist/incubator/netbeans/KEYS > > [3] - > https://www.apache.org/dist/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-source.zip.asc > > > > I opened a Command Line in Windows 10 and executed GnuPG for Windows > version 2.2.11: > > > > gpg --import KEYS.txt > > gpg --verify incubating-netbeans-11.0-source.zip.asc.txt > incubating-netbeans-11.0-bin.zip > > > > Output: > > gpg: Signature made 03/20/19 02:27:54 Central Standard Time (Mexico) > > gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D > > gpg: BAD signature from "Laszlo Kishalmi (CODE SIGNING KEY) < > lkisha...@apache.org>" [unknown] > > > > Is the validation process correct? Is there an error with the KEYS or the > downloaded file? > > > > Best regards, > > *Eduardo Quintanilla * > > *Software Developer* > > > > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > La información transmitida está destinada únicamente a la persona o > entidad a quien que va dirigida y puede contener información confidencial > y/o material privilegiado. Cualquier revisión, retransmisión, difusión u > otros usos, o cualquier acción tomada por personas o entidades distintas al > destinatario basándose en esta información está prohibida. Si usted recibe > este mensaje por error, por favor contacte al remitente y elimine el > material de cualquier computadora. >
RE: Netbeans 11 - Integrity of the release
Thanks, that was the problem. I overlooked that there is two signatures. With the correct file: gpg --import KEYS.txt gpg --verify incubating-netbeans-11.0-bin.zip.asc incubating-netbeans-11.0-bin.zip The output now says: gpg: Signature made 03/20/19 02:27:46 Central Standard Time (Mexico) gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D gpg: Good signature from "Laszlo Kishalmi (CODE SIGNING KEY) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 79C8 F02A 726E 9EF5 3646 D712 B2BF 814F A145 CB2D Can I ignore the warning? Eduardo Quintanilla Software Developer From: Helmut Leininger Sent: miércoles, 22 de mayo de 2019 9:58 a. m. To: users@netbeans.apache.org Subject: Re: Netbeans 11 - Integrity of the release Hi, I think you downloaded the binary and tried to verify it with a key for the source. Helmut Am 22.05.2019 um 16:23 schrieb Eduardo Quintanilla: Hi, I downloaded Netbeans 11[1] and got an error when verifying the signature[3] of the downloaded zip. I got the KEYS from [2]. [1] - https://us.mirrors.quenda.co/apache/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-bin.zip [2] - https://www.apache.org/dist/incubator/netbeans/KEYS [3] - https://www.apache.org/dist/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-source.zip.asc I opened a Command Line in Windows 10 and executed GnuPG for Windows version 2.2.11: gpg --import KEYS.txt gpg --verify incubating-netbeans-11.0-source.zip.asc.txt incubating-netbeans-11.0-bin.zip Output: gpg: Signature made 03/20/19 02:27:54 Central Standard Time (Mexico) gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D gpg: BAD signature from "Laszlo Kishalmi (CODE SIGNING KEY) <mailto:lkisha...@apache.org>" [unknown] Is the validation process correct? Is there an error with the KEYS or the downloaded file? Best regards, Eduardo Quintanilla Software Developer The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La información transmitida está destinada únicamente a la persona o entidad a quien que va dirigida y puede contener información confidencial y/o material privilegiado. Cualquier revisión, retransmisión, difusión u otros usos, o cualquier acción tomada por personas o entidades distintas al destinatario basándose en esta información está prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La información transmitida está destinada únicamente a la persona o entidad a quien que va dirigida y puede contener información confidencial y/o material privilegiado. Cualquier revisión, retransmisión, difusión u otros usos, o cualquier acción tomada por personas o entidades distintas al destinatario basándose en esta información está prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora.
Re: Netbeans 11 - Integrity of the release
Hi, I think you downloaded the *binary* and tried to verify it with a *key for the source*. Helmut Am 22.05.2019 um 16:23 schrieb Eduardo Quintanilla: > > Hi, > > > > I downloaded Netbeans 11[1] and got an error when verifying the > signature[3] of the downloaded zip. > > I got the KEYS from [2]. > > > > [1] - > https://us.mirrors.quenda.co/apache/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-bin.zip > > [2] - https://www.apache.org/dist/incubator/netbeans/KEYS > > [3] - > https://www.apache.org/dist/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-source.zip.asc > > > > I opened a Command Line in Windows 10 and executed GnuPG for Windows > version 2.2.11: > > > > gpg --import KEYS.txt > > gpg --verify incubating-netbeans-11.0-source.zip.asc.txt > incubating-netbeans-11.0-bin.zip > > > > Output: > > gpg: Signature made 03/20/19 02:27:54 Central Standard Time (Mexico) > > gpg: using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D > > gpg: BAD signature from "Laszlo Kishalmi (CODE SIGNING KEY) > " [unknown] > > > > Is the validation process correct? Is there an error with the KEYS or > the downloaded file? > > > > Best regards, > > *Eduardo Quintanilla * > > /Software Developer/ > > > > Email Signature > > > > The information transmitted is intended only for the person or entity > to which it is addressed and may contain confidential and/or > privileged material. Any review, retransmission, dissemination or > other use of, or taking of any action in reliance upon, this > information by persons or entities other than the intended recipient > is prohibited. If you received this in error, please contact the > sender and delete the material from any computer. > La información transmitida está destinada únicamente a la persona o > entidad a quien que va dirigida y puede contener información > confidencial y/o material privilegiado. Cualquier revisión, > retransmisión, difusión u otros usos, o cualquier acción tomada por > personas o entidades distintas al destinatario basándose en esta > información está prohibida. Si usted recibe este mensaje por error, > por favor contacte al remitente y elimine el material de cualquier > computadora. > <> - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
RE: Netbeans 11 - Integrity of the release
Thanks, that was the problem. The output now says: gpg: Signature made 03/20/19 02:27:46 Central Standard Time (Mexico) gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D gpg: Good signature from "Laszlo Kishalmi (CODE SIGNING KEY) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 79C8 F02A 726E 9EF5 3646 D712 B2BF 814F A145 CB2D Can I ignore the warning? Best regards, Eduardo Quintanilla Software Developer -Original Message- From: Neil C Smith Sent: miércoles, 22 de mayo de 2019 9:48 a. m. To: Eduardo Quintanilla ; users@netbeans.apache.org Subject: Re: Netbeans 11 - Integrity of the release On Wed, 22 May 2019 at 15:23, Eduardo Quintanilla wrote: > gpg --verify incubating-netbeans-11.0-source.zip.asc.txt > incubating-netbeans-11.0-bin.zip You appear to be verifying the source key against the binary zip?! Best wishes, Neil The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La información transmitida está destinada únicamente a la persona o entidad a quien que va dirigida y puede contener información confidencial y/o material privilegiado. Cualquier revisión, retransmisión, difusión u otros usos, o cualquier acción tomada por personas o entidades distintas al destinatario basándose en esta información está prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora. - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Netbeans 11 - Integrity of the release
On Wed, 22 May 2019 at 15:23, Eduardo Quintanilla wrote: > gpg --verify incubating-netbeans-11.0-source.zip.asc.txt > incubating-netbeans-11.0-bin.zip You appear to be verifying the source key against the binary zip?! Best wishes, Neil - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Netbeans 11 - Integrity of the release
Hi, I downloaded Netbeans 11[1] and got an error when verifying the signature[3] of the downloaded zip. I got the KEYS from [2]. [1] - https://us.mirrors.quenda.co/apache/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-bin.zip [2] - https://www.apache.org/dist/incubator/netbeans/KEYS [3] - https://www.apache.org/dist/incubator/netbeans/incubating-netbeans/incubating-11.0/incubating-netbeans-11.0-source.zip.asc I opened a Command Line in Windows 10 and executed GnuPG for Windows version 2.2.11: gpg --import KEYS.txt gpg --verify incubating-netbeans-11.0-source.zip.asc.txt incubating-netbeans-11.0-bin.zip Output: gpg: Signature made 03/20/19 02:27:54 Central Standard Time (Mexico) gpg:using RSA key 79C8F02A726E9EF53646D712B2BF814FA145CB2D gpg: BAD signature from "Laszlo Kishalmi (CODE SIGNING KEY) " [unknown] Is the validation process correct? Is there an error with the KEYS or the downloaded file? Best regards, Eduardo Quintanilla Software Developer The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. La informaci?n transmitida est? destinada ?nicamente a la persona o entidad a quien que va dirigida y puede contener informaci?n confidencial y/o material privilegiado. Cualquier revisi?n, retransmisi?n, difusi?n u otros usos, o cualquier acci?n tomada por personas o entidades distintas al destinatario bas?ndose en esta informaci?n est? prohibida. Si usted recibe este mensaje por error, por favor contacte al remitente y elimine el material de cualquier computadora.