All the signatures are correct. I used the same signing procedure as for old releases, it signs all files in a batch and I didn't do anything different for .zip and .gz files. Moreover, I used multisign.sh which is a tried and tested script from the release tools, see tools/releases/multisign.sh in the ASF committers repository.
I think it is a problem in the GPGTools for Mac OS X. I'm checking with with GNU gpg on Windows / cygwin and on Linux and all signatures are fine. Yegor On Wed, Aug 24, 2011 at 5:34 AM, Dave Fisher <dave2w...@comcast.net> wrote: > Hi Yegor, > > I'm not seeing a valid signature on the tar.gz files. The zips are fine. It > looks like you did all of the signing on the tar files and not the tar.gz > files. > > $ gpg --verify poi-bin-3.8-beta4-20110826.tar.gz.asc > gpg: Signature made Tue Aug 23 11:26:14 2011 PDT using DSA key ID F5BB52CD > gpg: BAD signature from "Yegor Kozlov <yegor.koz...@gmail.com>" > > $ gpg --verify poi-bin-3.8-beta4-20110826.zip.asc > gpg: Signature made Tue Aug 23 11:26:16 2011 PDT using DSA key ID F5BB52CD > gpg: Good signature from "Yegor Kozlov <yegor.koz...@gmail.com>" > gpg: aka "Yegor Kozlov <ye...@dinom.ru>" > gpg: aka "Yegor Kozlov <ye...@apache.org>" > > It looks like you signed poi-bin-3.8-beta4-20110826.tar and not > poi-bin-3.8-beta4-20110826.tar.gz > > The sha1 hash matches that of the tar and no the tar.gz > > $ more poi-bin-3.8-beta4-20110826.tar.gz.sha1 > 44eb9badbe80b99768b8d821d74b106dc8c5a2c0 *poi-bin-3.8-beta4-20110826.tar.gz > > $ openssl sha1 poi-bin-3.8-beta4-20110826.tar > SHA1(poi-bin-3.8-beta4-20110826.tar)= 44eb9badbe80b99768b8d821d74b106dc8c5a2c0 > > Rename the tar.gz.asc to tar.asc and the signature checks. > > $ gpg --verify poi-src-3.8-beta4-20110826.tar.asc > gpg: Signature made Tue Aug 23 11:26:27 2011 PDT using DSA key ID F5BB52CD > gpg: Good signature from "Yegor Kozlov <yegor.koz...@gmail.com>" > gpg: aka "Yegor Kozlov <ye...@dinom.ru>" > gpg: aka "Yegor Kozlov <ye...@apache.org>" > > > I am using this GPG: http://www.gpgtools.org/installer/index.html > > And this reference for SHA1 hash - http://support.apple.com/kb/ht1652 > > Regards, > Dave > > On Aug 23, 2011, at 12:04 PM, Yegor Kozlov wrote: > >> Hi All, >> >> Please test-drive the release candidate for POI 3.8 beta4 (take 2). >> Compared to the first version, two release blockers have been found and >> fixed: >> >> (1) https://issues.apache.org/bugzilla/show_bug.cgi?id=51686 >> (2) Our collection of test files included a document that we are not >> allowed to distribute. The doc in question has been removed. >> >> The release candidate files are available from: >> >> https://dist.apache.org/repos/dist/dev/poi/ >> >> (The jars and poms to feed into the maven repo are in /maven/ >> directory, they will be pushed using mvn-deploy.sh) >> >> As with all Apache release votes, please check that not only does the >> code work, and no major breakages have occurred since the last >> release, but also that packaging is correct, license headers and >> notices exist etc. >> >> The vote options are: >> >> +1 - I support this release >> 0 - I don't object to this release, but I haven't checked it >> -1 - There's a problem with the release, and that is .... >> >> I'm voting [+1]. Vote open for 72 hours and ends on Friday, 26th August. >> >> Yegor >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >> For additional commands, e-mail: dev-h...@poi.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
