Re: BAD SIGNATUREs on pdfbox/fontbox downloads

[Andreas Lehmkuehler]

Hi,

Am 21.07.2014 18:37, schrieb Mark Bobick, CTO:
Andreas,
I eventually noticed that the files were corrupt.  Switched to 1.8.5 and
downloads/all signatures/keys checked out.
Just to avoid misunderstandings, all released files of pdfbox 1.8.6 are o.k. 
Either the mirror you used provids corrupt files or something went wrong when 
downloading the files.

BR
Andreas Lehmkühler
Regards,

--mark bobick

-----Original Message-----
From: Andreas Lehmkuehler [mailto:andr...@lehmi.de]
Sent: Sunday, July 20, 2014 1:37 PM
To: users@pdfbox.apache.org
Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads

Hi,

Am 09.07.2014 19:49, schrieb Mark Bobick, CTO:
Maruan,

If I'm sticking with PGP/GPG, then the only thing to do is import the
key from the MIT server and see what happens.

   This is what happened:

[developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--. 1
developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
The downloaded jar file is corrupt, it is way to small. It's size has to be
4mb and not just 33kb. Please change the mirrow and/or check your method
downloading the file.

BR
Andreas Lehmkühler

-rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
pdfbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
[sudo] password for developer3:
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver
pgpkeys.mit.edu --recv-key 1DFDBF44
gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu
gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
[developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44
pub   1024D/1DFDBF44 2009-03-26
        Key fingerprint = A602 970F E1BF 5C9C 8A94  91B9 7A3C 9FE2 1DFD
BF44
uid                  Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>
sub   2048g/78CB2E94 2009-03-26
[developer3@bf19650mdfl Downloads]$

Have downloaded both jar and asc files several times with same result.
Would prefer to resolve issue, but I'll run checksums as alternative,
and will advise if anything off.  Thanks for the follow-up.

Regards,

-mark bobick

-----Original Message-----
From: Maruan Sahyoun [mailto:sahy...@fileaffairs.de]
Sent: Wednesday, July 09, 2014 1:24 PM
To: users@pdfbox.apache.org
Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads

Dear Mark,

I did try the verification on OSX Maverick and Fedora 20  wo any
issues. Is it possible to use a different system to verify that you
still get the same error?

BR
Maruan Sahyoun

Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO
<m.bob...@correlationconcepts.com>:

Downloaded KEYS and PDFBOX and FONTBOX files from
https://pdfbox.apache.org/downloads.html.

OS: Linux Fedora 20 (Heisenbug)



This is outcome from posted on same page "Verify" protocol.  Please
advise my error or other, and recommended action.



[developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl
Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul  8
11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--.
1 developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
-rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
pdfbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1
developer3 developer3 33596 Jul  8 11:14 fontbox-1.8.6.jar
-rw-r--r--. 1 developer3 developer3   181 Jul  8 11:14
fontbox-1.8.6.jar.asc
[developer3@bf19650mdfl Downloads]$ gpg --import KEYS
gpg: key A355A63E: public key "Jukka Zitting <ju...@apache.org>"
imported
gpg: key 8A26D9A6: public key "Jukka Zitting <jukka.zitt...@gmail.com>"
imported
gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>" imported
gpg: Total number processed: 3
gpg:               imported: 3
gpg: no ultimately trusted keys found [developer3@bf19650mdfl
Downloads]$ sudo gpg --verify pdfbox-1.8.6.jar.asc [sudo] password
for developer3:
gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>"
[developer3@bf19650mdfl Downloads]$ sudo gpg --verify
fontbox-1.8.6.jar.asc
gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID
1DFDBF44
gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
<le...@apache.org>"
[developer3@bf19650mdfl Downloads]$



Thanks & Regards,



-mark bobick
<http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn



CTO, Correlation Concepts

<http://www.correlationconcepts.com/> www.correlationconcepts.com

2880 David Walker Dr. #407

Eustis, Florida  32726

702.882.5664



"We will find a way, or we will make one." - Hannibal