[EMAIL PROTECTED] wrote:
Antoine,
When I awoke this morning I thought I should send this to you too.
Hope this helps,
Frank
------------------------------------------------------------------------
Subject:
Ant 1.6.0 download security confusion
From:
[EMAIL PROTECTED]
Date:
Sun, 01 Feb 2004 02:40:02 -0500
To:
[EMAIL PROTECTED]
To:
[EMAIL PROTECTED]
Hello,
I went to download the latest Ant release on 1/31/04 at about 10:30 PST. From
the apache distribution site, I downloaded the KEYS file and the pgp armored
file, these two specifically
http://www.apache.org/dist/ant/KEYS
http://www.apache.org/dist/ant/ant-current-bin.zip.asc
Then I imported KEYS into pgp on my system (windows 2000)
Next I did, pgp ant-current-bin.zip.asc to verify it.
pgp does not like what it found.
The warning messages say,
File 'ant-current-bin.zip.asc' has signature, but with no text.
Text is assumed to be i file 'ant-current-bin.zip'.
WARNING: Bad signature, doesn't match file contents!
Bad signature from user "Antoine Levy-Lambert (Apache Ant Committer) <[EMAIL
PROTECTED]>".
You probably need to have also downloade the ant-current-bin.zip before
you check the ant-current-bin.zip.asc
I then downloaded from these two urls
http://apache.webmeta.com/ant/binaries/apache-ant-1.6.0-bin.zip
http://www.apache.org/dist/ant/binaries/apache-ant-1.6.0-bin.zip.asc
Then did pgp apache-ant-1.6.0-bin.zip.asc
The results was,
File 'apache-ant-1.6.0-bin.zip.asc' has signature, but with no text.
Text is assumed to be i file 'apache-ant-1.6.0-bin.zip'.
Good signature from user "Antoine Levy-Lambert (Apache Ant Committer) <[EMAIL
PROTECTED]>".
Signature made 2003/12/18 20:27 GMT
WARNING: Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to "Antoine Levy-Lambert (Apache Ant Committer) <[EMAIL
PROTECTED]>".
My public key has been signed by Stefan Bodewig. I do not know what is a
trusted signature in the sense of pgp.
I am using PGP 6.5.8 which I downloaded from MIT tonight specifically to do
this check, especially because the Apache Ant website suggested so strongly
that I use the pgp check not just md5. So I did and the Appache site turned up
with these problems.
Hope this helps straighten out the use of keys and signatures among the several
websites involved. It seems there is some confusion at a minimum, here's hoping
there is not an actual security problem.
Frank Curran
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
