Hi all,
José Rodriguez from the users mailing list notes that the
"incubating-netbeans-java-9.0-beta-bin.zip" files from [1]
(dist.apache.org) and [2] (http://www-eu.apache.org) have different MD5
signatures.
A quick review shows that the files are indeed different:
"dist" zip file ([1])::
- File timestamps 2018 jan 10
- No "licenses" directory
- LICENSE file is 57kb
"eu zip" file ([2]) also downloaded from the Apache mirror system::
- File timestamps 2018 feb 02
- "licenses" directory
- LICENSE file is 245,1 kb
I think the one being distributed through the mirror system is the
proper one, isn't it? Also I thought that the file hosted at "dist" was
automatically distributed to mirrors, wasn't it?
I don't think we should raise a ticket against Apache security, should we?
Cheers,
Antonio
[1]
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
[2]
http://www-eu.apache.org/dist/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
On 08/03/18 20:21, John McDonnell wrote:
Apologies for the spam, cross posting to dev.
@Antonio, do you know if the link on the website for NetBeans 9.0 Beta
is correct? Looking at this thread, the signature doesn't match the
RC3.0 thread we voted on. If we have a small typo we should try to
catch this early in the NetCat phase.
Regards
John
On 8 March 2018 at 07:47, John McDonnell <[email protected]
<mailto:[email protected]>> wrote:
Hi Leo,
I didn't import the keys, as I had previously done this step...
But
I'm looking at a different file then you:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip(you)
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip(me)
@Geertjan, the vote thread you referenced earlier, we voted on the
link I used - and got a good signature, so I think that's okay. But
the website points to a different URL (The one Leo checked). I
suspect that the website is using the wrong URL, but before I jump
to that conclusion, just curious after the successful vote would you
have moved theartefact to the location on the website?
Regards
John
On 8 March 2018 at 01:50, Leo Donahue <[email protected]
<mailto:[email protected]>> wrote:
Hi John,
I noticed that you didn't issue: gpg --import KEYS
I tried again, using wget to download the binary zip file, same
result. I have also tried different mirrors. I guess I will
just build from source, I was just being lazy.
(The --list-keys command illustrates I don't already have the
KEYS file imported)
leo@vmw01:~$ *gpg --list-keys*
leo@vmw01:~$ *wget
https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
<https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>*
--2018-03-07 18:40:53--
https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
<https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>
Resolving dist.apache.org <http://dist.apache.org>
(dist.apache.org <http://dist.apache.org>)... 209.188.14.144
Connecting to dist.apache.org <http://dist.apache.org>
(dist.apache.org
<http://dist.apache.org>)|209.188.14.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7594 (7.4K) [text/plain]
Saving to: ‘KEYS’
KEYS
100%[=======================================================================>]
7.42K --.-KB/s in 0s
2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
leo@vmw01:~$ *wget
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>*
--2018-03-07 18:41:11--
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>
Resolving dist.apache.org <http://dist.apache.org>
(dist.apache.org <http://dist.apache.org>)... 209.188.14.144
Connecting to dist.apache.org <http://dist.apache.org>
(dist.apache.org
<http://dist.apache.org>)|209.188.14.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 819 [text/plain]
Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
incubating-netbeans-java-9.0-beta-bin
100%[=======================================================================>]
819 --.-KB/s in 0s
2018-03-07 18:41:11 (16.4 MB/s) -
‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ saved [819/819]
leo@vmw01:~$ *wget
http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
<http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>*
--2018-03-07 18:41:41--
http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
<http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>
Resolving apache.cs.utah.edu <http://apache.cs.utah.edu>
(apache.cs.utah.edu <http://apache.cs.utah.edu>)... 155.98.64.87
Connecting to apache.cs.utah.edu <http://apache.cs.utah.edu>
(apache.cs.utah.edu
<http://apache.cs.utah.edu>)|155.98.64.87|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 167193685 (159M) [application/zip]
Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
incubating-netbeans-java-9.0-beta-bin
100%[=======================================================================>]
159.45M 8.14MB/s in 31s
2018-03-07 18:42:12 (5.22 MB/s) -
‘incubating-netbeans-java-9.0-beta-bin.zip’ saved
[167193685/167193685]
leo@vmw01:~$ *gpg --import KEYS*
gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for
signing Apache NetBeans & co. releases.) <[email protected]
<mailto:[email protected]>>" imported
gpg: key 13E9F7AE3A4FD551: public key "[email protected]
<mailto:[email protected]> (Key for signing Apache NetBeans &
co. releases.) <[email protected]
<mailto:[email protected]>>" imported
gpg: Total number processed: 2
gpg: imported: 2
leo@vmw01:~$ *gpg --verify
incubating-netbeans-java-9.0-beta-bin.zip.asc
incubating-netbeans-java-9.0-beta-bin.zip*
gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
gpg: using RSA key B4C1940FEA9364F1
gpg: BAD signature from "Jan Lahoda (Key for signing Apache
NetBeans & co. releases.) <[email protected]
<mailto:[email protected]>>" [unknown]
leo@vmw01:~$
On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell
<[email protected] <mailto:[email protected]>> wrote:
I got something slightly different...
I have a good signature when verifying the .asc file, but
when I do an md5 or sha1 check on the zip file I get
different results as to whats currently on the website:
Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip>
--2018-03-07 23:48:01--
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip>
Resolving dist.apache.org... 209.188.14.144
Connecting to dist.apache.org
<http://dist.apache.org>|209.188.14.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 167193685 (159M) [application/octet-stream]
Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip'
incubating-netbeans-java-9.0-beta-bin.zip
100%[================================================================================================================>]
159.45M 2.61MB/s in 57s
2018-03-07 23:48:58 (2.80 MB/s) -
'incubating-netbeans-java-9.0-beta-bin.zip' saved
[167193685/167193685]
Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc>
--2018-03-07 23:49:49--
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc>
Resolving dist.apache.org... 209.188.14.144
Connecting to dist.apache.org
<http://dist.apache.org>|209.188.14.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [text/plain]
Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc'
incubating-netbeans-java-9.0-beta-bin.zip.asc
100%[================================================================================================================>]
833 --.-KB/s in 0s
2018-03-07 23:49:49 (18.9 MB/s) -
'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved [833/833]
Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify
incubating-netbeans-java-9.0-beta-bin.zip.asc
incubating-netbeans-java-9.0-beta-bin.zip
gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT
gpg: using RSA key
51B0E375B4941714A809F90E13E9F7AE3A4FD551
gpg: Good signature from "[email protected]
<mailto:[email protected]> (Key for signing Apache
NetBeans & co. releases.) <[email protected]
<mailto:[email protected]>>" [unknown]
gpg: WARNING: This key is not certified with a trusted
signature!
gpg: There is no indication that the signature
belongs to the owner.
Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9
F7AE 3A4F D551
Johns-MacBook-Pro-2:netbeans_sig_test john$ md5
incubating-netbeans-java-9.0-beta-bin.zip
MD5 (incubating-netbeans-java-9.0-beta-bin.zip) =
05d71d0e2a9360b3402c6068425773db
Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum
incubating-netbeans-java-9.0-beta-bin.zip
0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b
incubating-netbeans-java-9.0-beta-bin.zip
Regards
John
On 7 March 2018 at 23:12, Geertjan Wielenga
<[email protected]
<mailto:[email protected]>> wrote:
Would be good if someone would verify this -- when I
look at the VOTE thread, the source signatures have been
verified:
https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E
<https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E>
However, quite possibly the convenience binary signature
has been checked -- since Apache releases source code
and not binaries, which are optionally included for
convenience only.
Gj
On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue
<[email protected] <mailto:[email protected]>> wrote:
Hi,
Is this the right list for this question?
I'm trying to verify the PGP ASC and KEY file but I
get a bad signature message.
I'm here:
https://netbeans.apache.org/download/nb90/nb90-beta.html
<https://netbeans.apache.org/download/nb90/nb90-beta.html>
In Terminal:
wget
https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
<https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>
wget
https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
<https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>
pgp --import KEYS
gpg --verify
incubating-netbeans-java-9.0-beta-bin.zip.asc
Downloads/incubating-netbeans-java-9.0-beta-bin.zip
output:
gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
gpg: using RSA key B4C1940FEA9364F1
gpg: BAD signature from "Jan Lahoda (Key for signing
Apache NetBeans & co. releases.) <[email protected]
<mailto:[email protected]>>" [unknown]
What did I forget to do?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
