Hi,
Am 09.07.2014 19:49, schrieb Mark Bobick, CTO:
Maruan,
If I'm sticking with PGP/GPG, then the only thing to do is import the key
from the MIT server and see what happens.
This is what happened:
[developer3@bf19650mdfl Downloads]$ ls pdfbox*
-rw-r--r--. 1 developer3 developer3 33476 Jul 8 11:13 pdfbox-1.8.6.jar
The downloaded jar file is corrupt, it is way to small. It's size has to be 4mb
and not just 33kb. Please change the mirrow and/or check your method downloading
the file.
BR
Andreas Lehmkühler
-rw-r--r--. 1 developer3 developer3 181 Jul 8 11:13 pdfbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
[sudo] password for developer3:
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver pgpkeys.mit.edu
--recv-key 1DFDBF44
gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu
gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
[developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44
pub 1024D/1DFDBF44 2009-03-26
Key fingerprint = A602 970F E1BF 5C9C 8A94 91B9 7A3C 9FE2 1DFD BF44
uid Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>
sub 2048g/78CB2E94 2009-03-26
[developer3@bf19650mdfl Downloads]$
Have downloaded both jar and asc files several times with same result.
Would prefer to resolve issue, but I'll run checksums as alternative, and
will advise if anything off. Thanks for the follow-up.
Regards,
-mark bobick
-----Original Message-----
From: Maruan Sahyoun [mailto:[email protected]]
Sent: Wednesday, July 09, 2014 1:24 PM
To: [email protected]
Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads
Dear Mark,
I did try the verification on OSX Maverick and Fedora 20 wo any issues. Is
it possible to use a different system to verify that you still get the same
error?
BR
Maruan Sahyoun
Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO
<[email protected]>:
Downloaded KEYS and PDFBOX and FONTBOX files from
https://pdfbox.apache.org/downloads.html.
OS: Linux Fedora 20 (Heisenbug)
This is outcome from posted on same page "Verify" protocol. Please
advise my error or other, and recommended action.
[developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl
Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul 8
11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--.
1 developer3 developer3 33476 Jul 8 11:13 pdfbox-1.8.6.jar
-rw-r--r--. 1 developer3 developer3 181 Jul 8 11:13
pdfbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1
developer3 developer3 33596 Jul 8 11:14 fontbox-1.8.6.jar
-rw-r--r--. 1 developer3 developer3 181 Jul 8 11:14
fontbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ gpg --import KEYS
gpg: key A355A63E: public key "Jukka Zitting <[email protected]>"
imported
gpg: key 8A26D9A6: public key "Jukka Zitting <[email protected]>"
imported
gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>" imported
gpg: Total number processed: 3
gpg: imported: 3
gpg: no ultimately trusted keys found
[developer3@bf19650mdfl Downloads]$ sudo gpg --verify
pdfbox-1.8.6.jar.asc [sudo] password for developer3:
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --verify
fontbox-1.8.6.jar.asc
gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<[email protected]>"
[developer3@bf19650mdfl Downloads]$
Thanks & Regards,
-mark bobick
<http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn
CTO, Correlation Concepts
<http://www.correlationconcepts.com/> www.correlationconcepts.com
2880 David Walker Dr. #407
Eustis, Florida 32726
702.882.5664
"We will find a way, or we will make one." - Hannibal
