Re: log4j 2.15.0 signature and sha512 hash

Mon, 13 Dec 2021 10:22:50 -0800 

Le lun. 13 déc. 2021 à 12:34, Gary Gregory <garydgreg...@gmail.com> a
écrit :

> Works for me:
>
> gpg --verify apache-log4j-2.15.0-bin.tar.gz.asc
>

Here is the content of the asc file:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEU8k1ghqmp1W9M321NZU5XrPY4boFAmGySd0ACgkQNZU5XrPY
4bqQtQ/+KXQi3+6LZ13HyEefNsnBm84krCXK/nAIlRnerbV+Wj1g0xU7cC8l3m+n
UHw2/BIIurGnOKU4bvGUOc5UYDTED4LPadkvXYW0NMvBGla0fvR1lyEMypS2E2nz
0g3sqHC0T4ZEGEIO7jmUVQJEpPya33VlztfnoNQPcqv6PCOilIVK1EmoewEBvnsd
SVAJPhJtD43mUPLsIMIc4k7IM56FssN+2+46mba6YH39C4Z4NheGBUK9UXWYKQd3
3DKHoIoLb2hKXLdxHHz5u4dbkYPiHyGR4iX0wjq7W4eUX/4v+czsjrs8vQ5Gvhba
slg6RfUeu+fkMJfQUgRLT2HRSIKsuUd2QMppxW1GKRnfpx0yzAUWMfFfPcxuEa/u
em4YCsz1/a0AtfgtI6+Lne0yWsxORVVutquVOyF0ddjySQccPNYaOyOjx6jASM2A
LxkdCko0+2rSuIWcLMpWaoeRedao4L6O3azdU0IcN7/BVyXczM2t5cYB4QDdXvSc
UKJ6q6dQLngIwYqo6Q/d1XeKatWuhSPz0+mAoGAWvllvzWKb1/YbC/jZk/vxVqzR
K/mHB24pPWfcWiQNfbHrOVVUzv783u1RkEqDCGbBNBUr+ud1Fvte0i1x6WIhGXS7
qb5OTuljDicQ1L2mAKgvzl4XnOUsFmuBagZHYk58n19ZlxfBlyw=
=gA3i

-----END PGP SIGNATURE-----

This results in a bad signature.


>
> gpg: assuming signed data in 'apache-log4j-2.15.0-bin.tar.gz'
> gpg: Signature made Thu Dec  9 13:24:29 2021 EST
> gpg:                using RSA key 53C935821AA6A755BD337DB53595395EB3D8E1BA
> gpg: Good signature from "Ralph Goers (CODE SIGNING KEY) <
> rgo...@apache.org>"
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 53C9 3582 1AA6 A755 BD33  7DB5 3595 395E B3D8 E1BA
>
> shasum -a512 apache-log4j-2.15.0-bin.tar.gz
>
>
> c0e2d704d720bffc99520e5dfbf860ba3cb7f8a34c16a1caa8ce35618370ff06c19e3dc64fc258ad45d4308690551bf34b3ecb7acc0848aa12615f46398cda4a
>  apache-log4j-2.15.0-bin.tar.gz
>
> is the same as the data in
>
> https://downloads.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz.sha512
>
>
Here is the content of the file when I download it:

apache-log4j-2.15.0-bin.tar.gz: C0E2D704 D720BFFC 99520E5D FBF860BA 3CB7F8A3
                                4C16A1CA A8CE3561 8370FF06 C19E3DC6 4FC258AD
                                45D43086 90551BF3 4B3ECB7A CC0848AA 12615F46

                                398CDA4A


Obviously not a sha512 hash.



>
> Gary
>
>
-----------------
Daniel Savard

Reply via email to