The way I understand it, the artefact we voted on, that has a good signature. The one on the website that results in the bad signature. So either the website isn't pointing to the correct artefact, or something has gone wrong somewhere.
John On 8 March 2018 at 20:11, Geertjan Wielenga < [email protected]> wrote: > Yes, I think we need to sort out what's going on here. > > Though if it turns out there's a problem with the signing of the Beta, I > think that means we need to be all the more careful and really verify > everything in that regard (maybe have a dedicated signature verification > team) for the final release. > > Gj > > On Thu, Mar 8, 2018 at 8:21 PM, John McDonnell <[email protected]> > wrote: > > > Apologies for the spam, cross posting to dev. > > > > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta is > > correct? Looking at this thread, the signature doesn't match the RC3.0 > > thread we voted on. If we have a small typo we should try to catch this > > early in the NetCat phase. > > > > Regards > > > > John > > > > > > On 8 March 2018 at 07:47, John McDonnell <[email protected]> > wrote: > > > >> Hi Leo, > >> > >> I didn't import the keys, as I had previously done this step... > >> > >> But > >> > >> I'm looking at a different file then you: > >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > >> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea > >> ns-java-9.0-beta-bin.zip(you) > >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > >> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne > >> tbeans-java-9.0-beta-bin.zip(me) > >> > >> @Geertjan, the vote thread you referenced earlier, we voted on the link > I > >> used - and got a good signature, so I think that's okay. But the > website > >> points to a different URL (The one Leo checked). I suspect that the > >> website is using the wrong URL, but before I jump to that conclusion, > just > >> curious after the successful vote would you have moved the artefact to > >> the location on the website? > >> > >> Regards > >> > >> John > >> > >> > >> On 8 March 2018 at 01:50, Leo Donahue <[email protected]> wrote: > >> > >>> Hi John, > >>> > >>> I noticed that you didn't issue: gpg --import KEYS > >>> > >>> I tried again, using wget to download the binary zip file, same result. > >>> I have also tried different mirrors. I guess I will just build from > >>> source, I was just being lazy. > >>> > >>> (The --list-keys command illustrates I don't already have the KEYS file > >>> imported) > >>> > >>> leo@vmw01:~$ *gpg --list-keys* > >>> leo@vmw01:~$ *wget > >>> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > >>> <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>* > >>> --2018-03-07 18:40:53-- https://dist.apache.org/repos/ > >>> dist/release/incubator/netbeans/KEYS > >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... > >>> connected. > >>> HTTP request sent, awaiting response... 200 OK > >>> Length: 7594 (7.4K) [text/plain] > >>> Saving to: ‘KEYS’ > >>> > >>> KEYS 100%[========================= > >>> ==============================================>] 7.42K --.-KB/s > >>> in 0s > >>> > >>> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] > >>> > >>> leo@vmw01:~$ *wget > >>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0- > beta-bin.zip.asc > >>> <https://dist.apache.org/repos/dist/dev/incubator/ > netbeans/incubating-netbeans-java/incubating-9.0-beta/ > incubating-netbeans-java-9.0-beta-bin.zip.asc>* > >>> --2018-03-07 18:41:11-- https://dist.apache.org/repos/ > >>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat > >>> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc > >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... > >>> connected. > >>> HTTP request sent, awaiting response... 200 OK > >>> Length: 819 [text/plain] > >>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ > >>> > >>> incubating-netbeans-java-9.0-beta-bin 100%[========================= > >>> ==============================================>] 819 --.-KB/s > >>> in 0s > >>> > >>> 2018-03-07 18:41:11 (16.4 MB/s) - ‘incubating-netbeans-java-9.0- > beta-bin.zip.asc’ > >>> saved [819/819] > >>> > >>> leo@vmw01:~$ *wget > >>> http://apache.cs.utah.edu/incubator/netbeans/incubating- > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > 9.0-beta-bin.zip > >>> <http://apache.cs.utah.edu/incubator/netbeans/incubating- > netbeans-java/incubating-9.0-beta/incubating-netbeans-java- > 9.0-beta-bin.zip>* > >>> --2018-03-07 18:41:41-- http://apache.cs.utah.edu/incu > >>> bator/netbeans/incubating-netbeans-java/incubating-9.0-beta/ > >>> incubating-netbeans-java-9.0-beta-bin.zip > >>> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87 > >>> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98. > 64.87|:80... > >>> connected. > >>> HTTP request sent, awaiting response... 200 OK > >>> Length: 167193685 (159M) [application/zip] > >>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ > >>> > >>> incubating-netbeans-java-9.0-beta-bin 100%[========================= > >>> ==============================================>] 159.45M 8.14MB/s > >>> in 31s > >>> > >>> 2018-03-07 18:42:12 (5.22 MB/s) - ‘incubating-netbeans-java-9.0- > beta-bin.zip’ > >>> saved [167193685/167193685] > >>> > >>> leo@vmw01:~$ *gpg --import KEYS* > >>> gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing > >>> Apache NetBeans & co. releases.) <[email protected]>" imported > >>> gpg: key 13E9F7AE3A4FD551: public key "[email protected] (Key for > >>> signing Apache NetBeans & co. releases.) <[email protected]>" > imported > >>> gpg: Total number processed: 2 > >>> gpg: imported: 2 > >>> leo@vmw01:~$ *gpg --verify > >>> incubating-netbeans-java-9.0-beta-bin.zip.asc > >>> incubating-netbeans-java-9.0-beta-bin.zip* > >>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > >>> gpg: using RSA key B4C1940FEA9364F1 > >>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & > >>> co. releases.) <[email protected]>" [unknown] > >>> leo@vmw01:~$ > >>> > >>> > >>> On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell < > [email protected] > >>> > wrote: > >>> > >>>> I got something slightly different... > >>>> > >>>> I have a good signature when verifying the .asc file, but when I do an > >>>> md5 or sha1 check on the zip file I get different results as to whats > >>>> currently on the website: > >>>> > >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > >>>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > >>>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne > >>>> tbeans-java-9.0-beta-bin.zip > >>>> --2018-03-07 23:48:01-- https://dist.apache.org/repos/ > >>>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat > >>>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip > >>>> Resolving dist.apache.org... 209.188.14.144 > >>>> Connecting to dist.apache.org|209.188.14.144|:443... connected. > >>>> HTTP request sent, awaiting response... 200 OK > >>>> Length: 167193685 (159M) [application/octet-stream] > >>>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' > >>>> > >>>> incubating-netbeans-java-9.0-beta-bin.zip > >>>> 100%[======================================================= > >>>> =========================================================>] 159.45M > >>>> 2.61MB/s in 57s > >>>> > >>>> 2018-03-07 23:48:58 (2.80 MB/s) - 'incubating-netbeans-java-9.0- > beta-bin.zip' > >>>> saved [167193685/167193685] > >>>> > >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > >>>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > >>>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne > >>>> tbeans-java-9.0-beta-bin.zip.asc > >>>> --2018-03-07 23:49:49-- https://dist.apache.org/repos/ > >>>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat > >>>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc > >>>> Resolving dist.apache.org... 209.188.14.144 > >>>> Connecting to dist.apache.org|209.188.14.144|:443... connected. > >>>> HTTP request sent, awaiting response... 200 OK > >>>> Length: 833 [text/plain] > >>>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' > >>>> > >>>> incubating-netbeans-java-9.0-beta-bin.zip.asc > >>>> 100%[======================================================= > >>>> =========================================================>] 833 > >>>> --.-KB/s in 0s > >>>> > >>>> 2018-03-07 23:49:49 (18.9 MB/s) - 'incubating-netbeans-java-9.0- > beta-bin.zip.asc' > >>>> saved [833/833] > >>>> > >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify > >>>> incubating-netbeans-java-9.0-beta-bin.zip.asc > >>>> incubating-netbeans-java-9.0-beta-bin.zip > >>>> gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT > >>>> gpg: using RSA key 51B0E375B4941714A809F90E13E9F7 > >>>> AE3A4FD551 > >>>> gpg: Good signature from "[email protected] (Key for signing Apache > >>>> NetBeans & co. releases.) <[email protected]>" [unknown] > >>>> gpg: WARNING: This key is not certified with a trusted signature! > >>>> gpg: There is no indication that the signature belongs to the > >>>> owner. > >>>> Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 F7AE 3A4F > >>>> D551 > >>>> > >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 > >>>> incubating-netbeans-java-9.0-beta-bin.zip > >>>> MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = > >>>> 05d71d0e2a9360b3402c6068425773db > >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum > >>>> incubating-netbeans-java-9.0-beta-bin.zip > >>>> 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b > >>>> incubating-netbeans-java-9.0-beta-bin.zip > >>>> > >>>> Regards > >>>> > >>>> John > >>>> > >>>> On 7 March 2018 at 23:12, Geertjan Wielenga < > >>>> [email protected]> wrote: > >>>> > >>>>> Would be good if someone would verify this -- when I look at the VOTE > >>>>> thread, the source signatures have been verified: > >>>>> > >>>>> https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24 > >>>>> e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E > >>>>> > >>>>> However, quite possibly the convenience binary signature has been > >>>>> checked -- since Apache releases source code and not binaries, which > are > >>>>> optionally included for convenience only. > >>>>> > >>>>> Gj > >>>>> > >>>>> On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <[email protected]> > >>>>> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> Is this the right list for this question? > >>>>>> > >>>>>> I'm trying to verify the PGP ASC and KEY file but I get a bad > >>>>>> signature message. > >>>>>> > >>>>>> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html > >>>>>> > >>>>>> In Terminal: > >>>>>> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > >>>>>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea > >>>>>> ns-java-9.0-beta-bin.zip.asc > >>>>>> > >>>>>> wget https://dist.apache.org/repos/dist/release/incubator/netbean > >>>>>> s/KEYS > >>>>>> > >>>>>> pgp --import KEYS > >>>>>> > >>>>>> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc > >>>>>> Downloads/incubating-netbeans-java-9.0-beta-bin.zip > >>>>>> > >>>>>> > >>>>>> output: > >>>>>> > >>>>>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > >>>>>> gpg: using RSA key B4C1940FEA9364F1 > >>>>>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans > >>>>>> & co. releases.) <[email protected]>" [unknown] > >>>>>> > >>>>>> What did I forget to do? > >>>>>> > >>>>> > >>>>> > >>>> > >>> > >> > > >
