Works for me: gpg --verify apache-log4j-2.15.0-bin.tar.gz.asc
gpg: assuming signed data in 'apache-log4j-2.15.0-bin.tar.gz' gpg: Signature made Thu Dec 9 13:24:29 2021 EST gpg: using RSA key 53C935821AA6A755BD337DB53595395EB3D8E1BA gpg: Good signature from "Ralph Goers (CODE SIGNING KEY) <rgo...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 53C9 3582 1AA6 A755 BD33 7DB5 3595 395E B3D8 E1BA shasum -a512 apache-log4j-2.15.0-bin.tar.gz c0e2d704d720bffc99520e5dfbf860ba3cb7f8a34c16a1caa8ce35618370ff06c19e3dc64fc258ad45d4308690551bf34b3ecb7acc0848aa12615f46398cda4a apache-log4j-2.15.0-bin.tar.gz is the same as the data in https://downloads.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz.sha512 shasum --check -a512 apache-log4j-2.15.0-bin.tar.gz.sha512 I had to edit my local copy to match the format expected by shasum. You can also use OpenSSL: openssl dgst -sha512 apache-log4j-2.15.0-bin.tar.gz SHA512(apache-log4j-2.15.0-bin.tar.gz)= c0e2d704d720bffc99520e5dfbf860ba3cb7f8a34c16a1caa8ce35618370ff06c19e3dc64fc258ad45d4308690551bf34b3ecb7acc0848aa12615f46398cda4a Gary On Mon, Dec 13, 2021 at 11:52 AM Daniel Savard <daniel.sav...@gmail.com> wrote: > Hi everyone, > > I am trying to authenticate the log4j-2.15 code downloaded from the > apache.org site and the sha512 file doesn't contain a sha512 hash at all > and the signature file (.asc) failed to authenticate the parent file. > > Anyone can fix this? I cannot patch our system with unauthenticated code. > Please, provide correct files and authentication files. > > Regards, > ----------------- > Daniel Savard >
