Andreas, I eventually noticed that the files were corrupt. Switched to 1.8.5 and downloads/all signatures/keys checked out.
Regards, --mark bobick -----Original Message----- From: Andreas Lehmkuehler [mailto:[email protected]] Sent: Sunday, July 20, 2014 1:37 PM To: [email protected] Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads Hi, Am 09.07.2014 19:49, schrieb Mark Bobick, CTO: > Maruan, > > If I'm sticking with PGP/GPG, then the only thing to do is import the > key from the MIT server and see what happens. > > This is what happened: > > [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--. 1 > developer3 developer3 33476 Jul 8 11:13 pdfbox-1.8.6.jar The downloaded jar file is corrupt, it is way to small. It's size has to be 4mb and not just 33kb. Please change the mirrow and/or check your method downloading the file. BR Andreas Lehmkühler > -rw-r--r--. 1 developer3 developer3 181 Jul 8 11:13 pdfbox-1.8.6.jar.asc > [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc > [sudo] password for developer3: > gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID > 1DFDBF44 > gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) > <[email protected]>" > [developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver > pgpkeys.mit.edu --recv-key 1DFDBF44 > gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu > gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY) > <[email protected]>" not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 > [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc > gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID > 1DFDBF44 > gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) > <[email protected]>" > [developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44 > pub 1024D/1DFDBF44 2009-03-26 > Key fingerprint = A602 970F E1BF 5C9C 8A94 91B9 7A3C 9FE2 1DFD BF44 > uid Andreas Lehmkuehler (CODE SIGNING KEY) > <[email protected]> > sub 2048g/78CB2E94 2009-03-26 > [developer3@bf19650mdfl Downloads]$ > > Have downloaded both jar and asc files several times with same result. > Would prefer to resolve issue, but I'll run checksums as alternative, > and will advise if anything off. Thanks for the follow-up. > > Regards, > > -mark bobick > > -----Original Message----- > From: Maruan Sahyoun [mailto:[email protected]] > Sent: Wednesday, July 09, 2014 1:24 PM > To: [email protected] > Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads > > Dear Mark, > > I did try the verification on OSX Maverick and Fedora 20 wo any > issues. Is it possible to use a different system to verify that you > still get the same error? > > BR > Maruan Sahyoun > > Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO > <[email protected]>: > >> Downloaded KEYS and PDFBOX and FONTBOX files from >> https://pdfbox.apache.org/downloads.html. >> >> OS: Linux Fedora 20 (Heisenbug) >> >> >> >> This is outcome from posted on same page "Verify" protocol. Please >> advise my error or other, and recommended action. >> >> >> >> [developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl >> Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul 8 >> 11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--. >> 1 developer3 developer3 33476 Jul 8 11:13 pdfbox-1.8.6.jar >> -rw-r--r--. 1 developer3 developer3 181 Jul 8 11:13 > pdfbox-1.8.6.jar.asc >> [developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1 >> developer3 developer3 33596 Jul 8 11:14 fontbox-1.8.6.jar >> -rw-r--r--. 1 developer3 developer3 181 Jul 8 11:14 > fontbox-1.8.6.jar.asc >> [developer3@bf19650mdfl Downloads]$ gpg --import KEYS >> gpg: key A355A63E: public key "Jukka Zitting <[email protected]>" >> imported >> gpg: key 8A26D9A6: public key "Jukka Zitting <[email protected]>" >> imported >> gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY) >> <[email protected]>" imported >> gpg: Total number processed: 3 >> gpg: imported: 3 >> gpg: no ultimately trusted keys found [developer3@bf19650mdfl >> Downloads]$ sudo gpg --verify pdfbox-1.8.6.jar.asc [sudo] password >> for developer3: >> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID >> 1DFDBF44 >> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) >> <[email protected]>" >> [developer3@bf19650mdfl Downloads]$ sudo gpg --verify >> fontbox-1.8.6.jar.asc >> gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID >> 1DFDBF44 >> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) >> <[email protected]>" >> [developer3@bf19650mdfl Downloads]$ >> >> >> >> Thanks & Regards, >> >> >> >> -mark bobick >> <http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn >> >> >> >> CTO, Correlation Concepts >> >> <http://www.correlationconcepts.com/> www.correlationconcepts.com >> >> 2880 David Walker Dr. #407 >> >> Eustis, Florida 32726 >> >> 702.882.5664 >> >> >> >> "We will find a way, or we will make one." - Hannibal >> >> >> > >
