I can't find a document explaining what dist.apache.org is. It seems to be the "staging area" for the binaries.
My guess is that somebody fumbled a command from this huge list of steps https://cwiki.apache.org/confluence/display/NETBEANS/Apache+NetBeans+Release+README I don't believe we need to involve the security team until we dismiss a typo. --emi ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On 8 March 2018 11:57 PM, Antonio <anto...@vieiro.net> wrote: > Hi all, > > José Rodriguez from the users mailing list notes that the > > "incubating-netbeans-java-9.0-beta-bin.zip" files from \[1\] > > (dist.apache.org) and \[2\] (http://www-eu.apache.org) have different MD5 > > signatures. > > A quick review shows that the files are indeed different: > > "dist" zip file (\[1\]):: > > - File timestamps 2018 jan 10 > - No "licenses" directory > - LICENSE file is 57kb > > "eu zip" file (\[2\]) also downloaded from the Apache mirror system:: > > - File timestamps 2018 feb 02 > - "licenses" directory > - LICENSE file is 245,1 kb > > I think the one being distributed through the mirror system is the > > proper one, isn't it? Also I thought that the file hosted at "dist" was > > automatically distributed to mirrors, wasn't it? > > I don't think we should raise a ticket against Apache security, should we? > > Cheers, > > Antonio > > \[1\] > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip > > \[2\] > > > http://www-eu.apache.org/dist/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip > > On 08/03/18 20:21, John McDonnell wrote: > > > > Apologies for the spam, cross posting to dev. > > > > @Antonio, do you know if the link on the website for NetBeans 9.0 Beta > > > > is correct? Looking at this thread, the signature doesn't match the > > > > RC3.0 thread we voted on. If we have a small typo we should try to > > > > catch this early in the NetCat phase. > > > > Regards > > > > John > > > > On 8 March 2018 at 07:47, John McDonnell <mcdonnell.j...@gmail.com > > > > mailto:mcdonnell.j...@gmail.com\> wrote: > > > > Hi Leo, > > > > I didn't import the keys, as I had previously done this step... > > > > But > > > > I'm looking at a different file then you: > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip(you) > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip(me) > > > > @Geertjan, the vote thread you referenced earlier, we voted on the > > link I used - and got a good signature, so I think that's okay. But > > the website points to a different URL (The one Leo checked). I > > suspect that the website is using the wrong URL, but before I jump > > to that conclusion, just curious after the successful vote would you > > have moved theartefact to the location on the website? > > > > Regards > > > > John > > > > > > On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com > > <mailto:donahu...@gmail.com>> wrote: > > > > Hi John, > > > > I noticed that you didn't issue: gpg --import KEYS > > > > I tried again, using wget to download the binary zip file, same > > result. I have also tried different mirrors. I guess I will > > just build from source, I was just being lazy. > > > > (The --list-keys command illustrates I don't already have the > > KEYS file imported) > > > > leo@vmw01:~$ *gpg --list-keys* > > leo@vmw01:~$ *wget > > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > > > > <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>* > > --2018-03-07 18:40:53-- > > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > > <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS> > > Resolving dist.apache.org <http://dist.apache.org> > > (dist.apache.org <http://dist.apache.org>)... 209.188.14.144 > > Connecting to dist.apache.org <http://dist.apache.org> > > (dist.apache.org > > <http://dist.apache.org>)|209.188.14.144|:443... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 7594 (7.4K) [text/plain] > > Saving to: ‘KEYS’ > > > > KEYS > > > > 100%[=======================================================================>] > > > > 7.42K --.-KB/s in 0s > > > > 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] > > > > leo@vmw01:~$ *wget > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>* > > --2018-03-07 18:41:11-- > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc> > > Resolving dist.apache.org <http://dist.apache.org> > > (dist.apache.org <http://dist.apache.org>)... 209.188.14.144 > > Connecting to dist.apache.org <http://dist.apache.org> > > (dist.apache.org > > <http://dist.apache.org>)|209.188.14.144|:443... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 819 [text/plain] > > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ > > > > incubating-netbeans-java-9.0-beta-bin > > > > 100%[=======================================================================>] > > > > 819 --.-KB/s in 0s > > > > 2018-03-07 18:41:11 (16.4 MB/s) - > > ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ saved [819/819] > > > > leo@vmw01:~$ *wget > > > > http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip > > > > <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>* > > --2018-03-07 18:41:41-- > > > > http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip > > > > <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip> > > Resolving apache.cs.utah.edu <http://apache.cs.utah.edu> > > (apache.cs.utah.edu <http://apache.cs.utah.edu>)... 155.98.64.87 > > Connecting to apache.cs.utah.edu <http://apache.cs.utah.edu> > > (apache.cs.utah.edu > > <http://apache.cs.utah.edu>)|155.98.64.87|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 167193685 (159M) [application/zip] > > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ > > > > incubating-netbeans-java-9.0-beta-bin > > > > 100%[=======================================================================>] > > 159.45M 8.14MB/s in 31s > > > > 2018-03-07 18:42:12 (5.22 MB/s) - > > ‘incubating-netbeans-java-9.0-beta-bin.zip’ saved > > [167193685/167193685] > > > > leo@vmw01:~$ *gpg --import KEYS* > > gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for > > signing Apache NetBeans & co. releases.) <jlah...@apache.org > > <mailto:jlah...@apache.org>>" imported > > gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org > > <mailto:geert...@apache.org> (Key for signing Apache NetBeans & > > co. releases.) <geert...@apache.org > > <mailto:geert...@apache.org>>" imported > > gpg: Total number processed: 2 > > gpg: imported: 2 > > leo@vmw01:~$ *gpg --verify > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > incubating-netbeans-java-9.0-beta-bin.zip* > > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > > gpg: using RSA key B4C1940FEA9364F1 > > gpg: BAD signature from "Jan Lahoda (Key for signing Apache > > NetBeans & co. releases.) <jlah...@apache.org > > <mailto:jlah...@apache.org>>" [unknown] > > leo@vmw01:~$ > > > > > > On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell > > <mcdonnell.j...@gmail.com <mailto:mcdonnell.j...@gmail.com>> wrote: > > > > I got something slightly different... > > > > I have a good signature when verifying the .asc file, but > > when I do an md5 or sha1 check on the zip file I get > > different results as to whats currently on the website: > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip> > > --2018-03-07 23:48:01-- > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip> > > Resolving dist.apache.org... 209.188.14.144 > > Connecting to dist.apache.org > > <http://dist.apache.org>|209.188.14.144|:443... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 167193685 (159M) [application/octet-stream] > > Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' > > > > incubating-netbeans-java-9.0-beta-bin.zip > > > > 100%[================================================================================================================>] > > 159.45M 2.61MB/s in 57s > > > > 2018-03-07 23:48:58 (2.80 MB/s) - > > 'incubating-netbeans-java-9.0-beta-bin.zip' saved > > [167193685/167193685] > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ wget > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc> > > --2018-03-07 23:49:49-- > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc> > > Resolving dist.apache.org... 209.188.14.144 > > Connecting to dist.apache.org > > <http://dist.apache.org>|209.188.14.144|:443... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 833 [text/plain] > > Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' > > > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > 100%[================================================================================================================>] > > > > 833 --.-KB/s in 0s > > > > 2018-03-07 23:49:49 (18.9 MB/s) - > > 'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved [833/833] > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > incubating-netbeans-java-9.0-beta-bin.zip > > gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT > > gpg: using RSA key > > 51B0E375B4941714A809F90E13E9F7AE3A4FD551 > > gpg: Good signature from "geert...@apache.org > > <mailto:geert...@apache.org> (Key for signing Apache > > NetBeans & co. releases.) <geert...@apache.org > > <mailto:geert...@apache.org>>" [unknown] > > gpg: WARNING: This key is not certified with a trusted > > signature! > > gpg: There is no indication that the signature > > belongs to the owner. > > Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 > > F7AE 3A4F D551 > > > > Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 > > incubating-netbeans-java-9.0-beta-bin.zip > > MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = > > 05d71d0e2a9360b3402c6068425773db > > Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum > > incubating-netbeans-java-9.0-beta-bin.zip > > 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b > > incubating-netbeans-java-9.0-beta-bin.zip > > > > Regards > > > > John > > > > On 7 March 2018 at 23:12, Geertjan Wielenga > > <geertjan.wiele...@googlemail.com > > <mailto:geertjan.wiele...@googlemail.com>> wrote: > > > > Would be good if someone would verify this -- when I > > look at the VOTE thread, the source signatures have been > > verified: > > > > > > https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E > > > > <https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E> > > > > However, quite possibly the convenience binary signature > > has been checked -- since Apache releases source code > > and not binaries, which are optionally included for > > convenience only. > > > > Gj > > > > On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue > > <donahu...@gmail.com <mailto:donahu...@gmail.com>> wrote: > > > > Hi, > > > > Is this the right list for this question? > > > > I'm trying to verify the PGP ASC and KEY file but I > > get a bad signature message. > > > > I'm here: > > https://netbeans.apache.org/download/nb90/nb90-beta.html > > > > <https://netbeans.apache.org/download/nb90/nb90-beta.html> > > > > In Terminal: > > wget > > > > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc > > > > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc> > > > > wget > > > > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > > > > <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS> > > > > pgp --import KEYS > > > > gpg --verify > > incubating-netbeans-java-9.0-beta-bin.zip.asc > > Downloads/incubating-netbeans-java-9.0-beta-bin.zip > > > > > > output: > > > > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > > gpg: using RSA key B4C1940FEA9364F1 > > gpg: BAD signature from "Jan Lahoda (Key for signing > > Apache NetBeans & co. releases.) <jlah...@apache.org > > <mailto:jlah...@apache.org>>" [unknown] > > > > What did I forget to do? > > > > -- > > To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org > > For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org > > For further information about the NetBeans mailing lists, visit: > > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
