On Aug 23, 2011, at 11:14 PM, Yegor Kozlov wrote: > All the signatures are correct. I used the same signing procedure as > for old releases, it signs all files in a batch and I didn't do > anything different for .zip and .gz files. Moreover, I used > multisign.sh which is a tried and tested script from the release > tools, see tools/releases/multisign.sh in the ASF committers > repository. > > I think it is a problem in the GPGTools for Mac OS X.
Well when I check the signature on RAT's tar.gz it works as expected. $ gpg --verify apache-rat-incubating-current-bin.tar.gz.asc gpg: Signature made Fri Jul 30 13:56:55 2010 PDT using DSA key ID DE240A64 gpg: Good signature from "Jochen Wiedmann <joc...@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. > > I'm checking with with GNU gpg on Windows / cygwin and on Linux and > all signatures are fine. I am viewing this as something to correct for POI-3.8 Final. Strange that there is a difference in how GPG tools process *.tar.gz Regards, Dave > > Yegor > > On Wed, Aug 24, 2011 at 5:34 AM, Dave Fisher <dave2w...@comcast.net> wrote: >> Hi Yegor, >> >> I'm not seeing a valid signature on the tar.gz files. The zips are fine. It >> looks like you did all of the signing on the tar files and not the tar.gz >> files. >> >> $ gpg --verify poi-bin-3.8-beta4-20110826.tar.gz.asc >> gpg: Signature made Tue Aug 23 11:26:14 2011 PDT using DSA key ID F5BB52CD >> gpg: BAD signature from "Yegor Kozlov <yegor.koz...@gmail.com>" >> >> $ gpg --verify poi-bin-3.8-beta4-20110826.zip.asc >> gpg: Signature made Tue Aug 23 11:26:16 2011 PDT using DSA key ID F5BB52CD >> gpg: Good signature from "Yegor Kozlov <yegor.koz...@gmail.com>" >> gpg: aka "Yegor Kozlov <ye...@dinom.ru>" >> gpg: aka "Yegor Kozlov <ye...@apache.org>" >> >> It looks like you signed poi-bin-3.8-beta4-20110826.tar and not >> poi-bin-3.8-beta4-20110826.tar.gz >> >> The sha1 hash matches that of the tar and no the tar.gz >> >> $ more poi-bin-3.8-beta4-20110826.tar.gz.sha1 >> 44eb9badbe80b99768b8d821d74b106dc8c5a2c0 *poi-bin-3.8-beta4-20110826.tar.gz >> >> $ openssl sha1 poi-bin-3.8-beta4-20110826.tar >> SHA1(poi-bin-3.8-beta4-20110826.tar)= >> 44eb9badbe80b99768b8d821d74b106dc8c5a2c0 >> >> Rename the tar.gz.asc to tar.asc and the signature checks. >> >> $ gpg --verify poi-src-3.8-beta4-20110826.tar.asc >> gpg: Signature made Tue Aug 23 11:26:27 2011 PDT using DSA key ID F5BB52CD >> gpg: Good signature from "Yegor Kozlov <yegor.koz...@gmail.com>" >> gpg: aka "Yegor Kozlov <ye...@dinom.ru>" >> gpg: aka "Yegor Kozlov <ye...@apache.org>" >> >> >> I am using this GPG: http://www.gpgtools.org/installer/index.html >> >> And this reference for SHA1 hash - http://support.apple.com/kb/ht1652 >> >> Regards, >> Dave >> >> On Aug 23, 2011, at 12:04 PM, Yegor Kozlov wrote: >> >>> Hi All, >>> >>> Please test-drive the release candidate for POI 3.8 beta4 (take 2). >>> Compared to the first version, two release blockers have been found and >>> fixed: >>> >>> (1) https://issues.apache.org/bugzilla/show_bug.cgi?id=51686 >>> (2) Our collection of test files included a document that we are not >>> allowed to distribute. The doc in question has been removed. >>> >>> The release candidate files are available from: >>> >>> https://dist.apache.org/repos/dist/dev/poi/ >>> >>> (The jars and poms to feed into the maven repo are in /maven/ >>> directory, they will be pushed using mvn-deploy.sh) >>> >>> As with all Apache release votes, please check that not only does the >>> code work, and no major breakages have occurred since the last >>> release, but also that packaging is correct, license headers and >>> notices exist etc. >>> >>> The vote options are: >>> >>> +1 - I support this release >>> 0 - I don't object to this release, but I haven't checked it >>> -1 - There's a problem with the release, and that is .... >>> >>> I'm voting [+1]. Vote open for 72 hours and ends on Friday, 26th August. >>> >>> Yegor >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >>> For additional commands, e-mail: dev-h...@poi.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org >> For additional commands, e-mail: dev-h...@poi.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
