Re: log4j 2.15.0 signature and sha512 hash

Mon, 13 Dec 2021 10:28:26 -0800 

On Mon, Dec 13, 2021 at 1:22 PM Daniel Savard <daniel.sav...@gmail.com>
wrote:

> Le lun. 13 déc. 2021 à 12:34, Gary Gregory <garydgreg...@gmail.com> a
> écrit :
>
> > Works for me:
> >
> > gpg --verify apache-log4j-2.15.0-bin.tar.gz.asc
> >
>
> Here is the content of the asc file:
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAABCgAdFiEEU8k1ghqmp1W9M321NZU5XrPY4boFAmGySd0ACgkQNZU5XrPY
> 4bqQtQ/+KXQi3+6LZ13HyEefNsnBm84krCXK/nAIlRnerbV+Wj1g0xU7cC8l3m+n
> UHw2/BIIurGnOKU4bvGUOc5UYDTED4LPadkvXYW0NMvBGla0fvR1lyEMypS2E2nz
> 0g3sqHC0T4ZEGEIO7jmUVQJEpPya33VlztfnoNQPcqv6PCOilIVK1EmoewEBvnsd
> SVAJPhJtD43mUPLsIMIc4k7IM56FssN+2+46mba6YH39C4Z4NheGBUK9UXWYKQd3
> 3DKHoIoLb2hKXLdxHHz5u4dbkYPiHyGR4iX0wjq7W4eUX/4v+czsjrs8vQ5Gvhba
> slg6RfUeu+fkMJfQUgRLT2HRSIKsuUd2QMppxW1GKRnfpx0yzAUWMfFfPcxuEa/u
> em4YCsz1/a0AtfgtI6+Lne0yWsxORVVutquVOyF0ddjySQccPNYaOyOjx6jASM2A
> LxkdCko0+2rSuIWcLMpWaoeRedao4L6O3azdU0IcN7/BVyXczM2t5cYB4QDdXvSc
> UKJ6q6dQLngIwYqo6Q/d1XeKatWuhSPz0+mAoGAWvllvzWKb1/YbC/jZk/vxVqzR
> K/mHB24pPWfcWiQNfbHrOVVUzv783u1RkEqDCGbBNBUr+ud1Fvte0i1x6WIhGXS7
> qb5OTuljDicQ1L2mAKgvzl4XnOUsFmuBagZHYk58n19ZlxfBlyw=
> =gA3i
>
> -----END PGP SIGNATURE-----
>
> This results in a bad signature.
>

What happens when you run:

gpg --verify apache-log4j-2.15.0-bin.tar.gz.asc

?

Gary

>
>
> >
> > gpg: assuming signed data in 'apache-log4j-2.15.0-bin.tar.gz'
> > gpg: Signature made Thu Dec  9 13:24:29 2021 EST
> > gpg:                using RSA key
> 53C935821AA6A755BD337DB53595395EB3D8E1BA
> > gpg: Good signature from "Ralph Goers (CODE SIGNING KEY) <
> > rgo...@apache.org>"
> > [unknown]
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the
> > owner.
> > Primary key fingerprint: 53C9 3582 1AA6 A755 BD33  7DB5 3595 395E B3D8
> E1BA
> >
> > shasum -a512 apache-log4j-2.15.0-bin.tar.gz
> >
> >
> >
> c0e2d704d720bffc99520e5dfbf860ba3cb7f8a34c16a1caa8ce35618370ff06c19e3dc64fc258ad45d4308690551bf34b3ecb7acc0848aa12615f46398cda4a
> >  apache-log4j-2.15.0-bin.tar.gz
> >
> > is the same as the data in
> >
> >
> https://downloads.apache.org/logging/log4j/2.15.0/apache-log4j-2.15.0-bin.tar.gz.sha512
> >
> >
> Here is the content of the file when I download it:
>
> apache-log4j-2.15.0-bin.tar.gz: C0E2D704 D720BFFC 99520E5D FBF860BA
> 3CB7F8A3
>                                 4C16A1CA A8CE3561 8370FF06 C19E3DC6
> 4FC258AD
>                                 45D43086 90551BF3 4B3ECB7A CC0848AA
> 12615F46
>
>                                 398CDA4A
>
>
> Obviously not a sha512 hash.
>
>
>
> >
> > Gary
> >
> >
> -----------------
> Daniel Savard
>

Reply via email to