Yes, I think we need to sort out what's going on here. Though if it turns out there's a problem with the signing of the Beta, I think that means we need to be all the more careful and really verify everything in that regard (maybe have a dedicated signature verification team) for the final release.
Gj On Thu, Mar 8, 2018 at 8:21 PM, John McDonnell <mcdonnell.j...@gmail.com> wrote: > Apologies for the spam, cross posting to dev. > > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta is > correct? Looking at this thread, the signature doesn't match the RC3.0 > thread we voted on. If we have a small typo we should try to catch this > early in the NetCat phase. > > Regards > > John > > > On 8 March 2018 at 07:47, John McDonnell <mcdonnell.j...@gmail.com> wrote: > >> Hi Leo, >> >> I didn't import the keys, as I had previously done this step... >> >> But >> >> I'm looking at a different file then you: >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea >> ns-java-9.0-beta-bin.zip(you) >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne >> tbeans-java-9.0-beta-bin.zip(me) >> >> @Geertjan, the vote thread you referenced earlier, we voted on the link I >> used - and got a good signature, so I think that's okay. But the website >> points to a different URL (The one Leo checked). I suspect that the >> website is using the wrong URL, but before I jump to that conclusion, just >> curious after the successful vote would you have moved the artefact to >> the location on the website? >> >> Regards >> >> John >> >> >> On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com> wrote: >> >>> Hi John, >>> >>> I noticed that you didn't issue: gpg --import KEYS >>> >>> I tried again, using wget to download the binary zip file, same result. >>> I have also tried different mirrors. I guess I will just build from >>> source, I was just being lazy. >>> >>> (The --list-keys command illustrates I don't already have the KEYS file >>> imported) >>> >>> leo@vmw01:~$ *gpg --list-keys* >>> leo@vmw01:~$ *wget >>> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS >>> <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>* >>> --2018-03-07 18:40:53-- https://dist.apache.org/repos/ >>> dist/release/incubator/netbeans/KEYS >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... >>> connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 7594 (7.4K) [text/plain] >>> Saving to: ‘KEYS’ >>> >>> KEYS 100%[========================= >>> ==============================================>] 7.42K --.-KB/s >>> in 0s >>> >>> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] >>> >>> leo@vmw01:~$ *wget >>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc >>> <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>* >>> --2018-03-07 18:41:11-- https://dist.apache.org/repos/ >>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >>> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc >>> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 >>> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... >>> connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 819 [text/plain] >>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ >>> >>> incubating-netbeans-java-9.0-beta-bin 100%[========================= >>> ==============================================>] 819 --.-KB/s >>> in 0s >>> >>> 2018-03-07 18:41:11 (16.4 MB/s) - >>> ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ >>> saved [819/819] >>> >>> leo@vmw01:~$ *wget >>> http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip >>> <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>* >>> --2018-03-07 18:41:41-- http://apache.cs.utah.edu/incu >>> bator/netbeans/incubating-netbeans-java/incubating-9.0-beta/ >>> incubating-netbeans-java-9.0-beta-bin.zip >>> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87 >>> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80... >>> connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 167193685 (159M) [application/zip] >>> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ >>> >>> incubating-netbeans-java-9.0-beta-bin 100%[========================= >>> ==============================================>] 159.45M 8.14MB/s >>> in 31s >>> >>> 2018-03-07 18:42:12 (5.22 MB/s) - >>> ‘incubating-netbeans-java-9.0-beta-bin.zip’ >>> saved [167193685/167193685] >>> >>> leo@vmw01:~$ *gpg --import KEYS* >>> gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing >>> Apache NetBeans & co. releases.) <jlah...@apache.org>" imported >>> gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org (Key for >>> signing Apache NetBeans & co. releases.) <geert...@apache.org>" imported >>> gpg: Total number processed: 2 >>> gpg: imported: 2 >>> leo@vmw01:~$ *gpg --verify >>> incubating-netbeans-java-9.0-beta-bin.zip.asc >>> incubating-netbeans-java-9.0-beta-bin.zip* >>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >>> gpg: using RSA key B4C1940FEA9364F1 >>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & >>> co. releases.) <jlah...@apache.org>" [unknown] >>> leo@vmw01:~$ >>> >>> >>> On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell <mcdonnell.j...@gmail.com >>> > wrote: >>> >>>> I got something slightly different... >>>> >>>> I have a good signature when verifying the .asc file, but when I do an >>>> md5 or sha1 check on the zip file I get different results as to whats >>>> currently on the website: >>>> >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >>>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne >>>> tbeans-java-9.0-beta-bin.zip >>>> --2018-03-07 23:48:01-- https://dist.apache.org/repos/ >>>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >>>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip >>>> Resolving dist.apache.org... 209.188.14.144 >>>> Connecting to dist.apache.org|209.188.14.144|:443... connected. >>>> HTTP request sent, awaiting response... 200 OK >>>> Length: 167193685 (159M) [application/octet-stream] >>>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' >>>> >>>> incubating-netbeans-java-9.0-beta-bin.zip >>>> 100%[======================================================= >>>> =========================================================>] 159.45M >>>> 2.61MB/s in 57s >>>> >>>> 2018-03-07 23:48:58 (2.80 MB/s) - >>>> 'incubating-netbeans-java-9.0-beta-bin.zip' >>>> saved [167193685/167193685] >>>> >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >>>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne >>>> tbeans-java-9.0-beta-bin.zip.asc >>>> --2018-03-07 23:49:49-- https://dist.apache.org/repos/ >>>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >>>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc >>>> Resolving dist.apache.org... 209.188.14.144 >>>> Connecting to dist.apache.org|209.188.14.144|:443... connected. >>>> HTTP request sent, awaiting response... 200 OK >>>> Length: 833 [text/plain] >>>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >>>> >>>> incubating-netbeans-java-9.0-beta-bin.zip.asc >>>> 100%[======================================================= >>>> =========================================================>] 833 >>>> --.-KB/s in 0s >>>> >>>> 2018-03-07 23:49:49 (18.9 MB/s) - >>>> 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >>>> saved [833/833] >>>> >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify >>>> incubating-netbeans-java-9.0-beta-bin.zip.asc >>>> incubating-netbeans-java-9.0-beta-bin.zip >>>> gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT >>>> gpg: using RSA key 51B0E375B4941714A809F90E13E9F7 >>>> AE3A4FD551 >>>> gpg: Good signature from "geert...@apache.org (Key for signing Apache >>>> NetBeans & co. releases.) <geert...@apache.org>" [unknown] >>>> gpg: WARNING: This key is not certified with a trusted signature! >>>> gpg: There is no indication that the signature belongs to the >>>> owner. >>>> Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 F7AE 3A4F >>>> D551 >>>> >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 >>>> incubating-netbeans-java-9.0-beta-bin.zip >>>> MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = >>>> 05d71d0e2a9360b3402c6068425773db >>>> Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum >>>> incubating-netbeans-java-9.0-beta-bin.zip >>>> 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b >>>> incubating-netbeans-java-9.0-beta-bin.zip >>>> >>>> Regards >>>> >>>> John >>>> >>>> On 7 March 2018 at 23:12, Geertjan Wielenga < >>>> geertjan.wiele...@googlemail.com> wrote: >>>> >>>>> Would be good if someone would verify this -- when I look at the VOTE >>>>> thread, the source signatures have been verified: >>>>> >>>>> https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24 >>>>> e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E >>>>> >>>>> However, quite possibly the convenience binary signature has been >>>>> checked -- since Apache releases source code and not binaries, which are >>>>> optionally included for convenience only. >>>>> >>>>> Gj >>>>> >>>>> On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Is this the right list for this question? >>>>>> >>>>>> I'm trying to verify the PGP ASC and KEY file but I get a bad >>>>>> signature message. >>>>>> >>>>>> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html >>>>>> >>>>>> In Terminal: >>>>>> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>>>>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea >>>>>> ns-java-9.0-beta-bin.zip.asc >>>>>> >>>>>> wget https://dist.apache.org/repos/dist/release/incubator/netbean >>>>>> s/KEYS >>>>>> >>>>>> pgp --import KEYS >>>>>> >>>>>> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc >>>>>> Downloads/incubating-netbeans-java-9.0-beta-bin.zip >>>>>> >>>>>> >>>>>> output: >>>>>> >>>>>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >>>>>> gpg: using RSA key B4C1940FEA9364F1 >>>>>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans >>>>>> & co. releases.) <jlah...@apache.org>" [unknown] >>>>>> >>>>>> What did I forget to do? >>>>>> >>>>> >>>>> >>>> >>> >> >