[
https://issues.apache.org/jira/browse/TIKA-2003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15327727#comment-15327727
]
Nick Burch commented on TIKA-2003:
----------------------------------
Looks like David hasn't added his GPG key fingerprint to his profile on
id.apache.org / only added the short key ID
Very short term, you can switch to using the KEYS file in Git
Shorter term, David should add that key
Medium term, we might want to deploy the KEYS file to dist, as some other
projects do
> Tika 1.13 gpg signature not validating.
> ---------------------------------------
>
> Key: TIKA-2003
> URL: https://issues.apache.org/jira/browse/TIKA-2003
> Project: Tika
> Issue Type: Bug
> Reporter: Stephen Durham
>
> I am using Tika via the logicalspark/docker-tikaserver instance and I noticed
> that the latest update to 1.13 failed the build process for the docker
> instance due to a bad signature. I took the
> steps outlined below to make sure that this was actually an issue before
> submitting the ticket.
> There is a related issue from a few years back, same RSA key 0EB30B07. The
> ticket is 1345.
> Thanks in advance for any assistance with this issue.
> -Stephen
> First I tested with the Docker instance. I cloned the
> logicalspark/docker-tikaserver repo and attempted the docker build locally.
> The build encountered the following error:
> {noformat}
> gpg: Signature made Mon May 9 17:34:48 2016 UTC using RSA key ID 0EB30B07
> gpg: Can't check signature: public key not found
> {noformat}
> I then tested locally. With no keys other than those contained in tika.asc
> {noformat}
> wget https://people.apache.org/keys/group/tika.asc
> wget http://apache.mirrors.tds.net/tika/tika-server-1.13.jar
> wget https://www.apache.org/dist/tika/tika-server-1.13.jar.asc
> {noformat}
> Then I verified the MD5 sum matches the download page.
> {noformat}
> md5 tika-server-1.13.jar
> MD5 (tika-server-1.13.jar) = 155bec7b7cb25b22effa99db1fb8e233
> {noformat}
> Next I verified the signature following the steps on the download page.
> 1. Import the Keys.
> {noformat}
> gpg --import tika.asc
> gpg: /Users/stephen/.gnupg/trustdb.gpg: trustdb created
> gpg: key B876884A: public key "Chris Mattmann (CODE SIGNING KEY)" imported
> gpg: key 6ED9BE21: public key "Bob Paulin (CODE SIGNING KEY)" imported
> gpg: key 0890B1AB: public key "Konstantin Gribov (gross)" imported
> gpg: key 6E68DA61: public key "Michael McCandless (CODE SIGNING KEY)" imported
> gpg: key A355A63E: public key "Jukka Zitting" imported
> gpg: key 8A26D9A6: public key "Jukka Zitting" imported
> gpg: key 42CFAE07: public key "Jukka Zitting (CODE SIGNING KEY)" imported
> gpg: key 95D21F2E: public key "Ray Gauss II (CODE SIGNING KEY)" imported
> gpg: key D4F10117: public key "Tyler Palsulich" imported
> gpg: key DEDEAB92: public key "Sergey Beryozkin (Release Management)" imported
> gpg: key 97EDDE66: public key "tallison (apache_distro_keys)" imported
> gpg: key 48BAEBF6: public key "Lewis John McGibbney (CODE SIGNING KEY)"
> imported
> gpg: key D84E41AE: public key "Nick Burch" imported
> gpg: Total number processed: 13
> gpg: imported: 13 (RSA: 8)
> gpg: no ultimately trusted keys found
> {noformat}
> 2. Verify the signature.
> {noformat}
> gpg --verify tika-server-1.13.jar.asc
> gpg: assuming signed data in `tika-server-1.13.jar'
> gpg: Signature made Mon May 9 12:34:48 2016 CDT using RSA key ID 0EB30B07
> gpg: Can't check signature: public key not found
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
