[
https://issues.apache.org/jira/browse/LOG4J2-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468735#comment-17468735
]
Adam Dalhed commented on LOG4J2-3314:
-------------------------------------
{code:java}
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ wget
https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz
--2022-01-04 09:35:58--
https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz
Resolving www.apache.org (www.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to www.apache.org (www.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘apache-log4j-2.17.1-bin.tar.gz’ [ <=>
]
28,794 120KB/s in 0.2s 2022-01-04 09:35:59 (120 KB/s) -
‘apache-log4j-2.17.1-bin.tar.gz’ saved [28794][vmuser1@vmdi-e8f4-adam-dalhed
Downloads]$ wget https://www.apache.org/dist/logging/KEYS
--2022-01-04 09:36:18-- https://www.apache.org/dist/logging/KEYS
Resolving www.apache.org (www.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to www.apache.org (www.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://downloads.apache.org/logging/KEYS [following]
--2022-01-04 09:36:19-- https://downloads.apache.org/logging/KEYS
Resolving downloads.apache.org (downloads.apache.org)... 135.181.214.104,
88.99.95.219, 2a01:4f8:10a:201a::2, ...
Connecting to downloads.apache.org
(downloads.apache.org)|135.181.214.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 79600 (78K)
Saving to:
‘KEYS’100%[================================================================================================================================>]
79,600 89.0KB/s in 0.9s 2022-01-04 09:36:21 (89.0 KB/s) - ‘KEYS’
saved [79600/79600][vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ gpg --import KEYS
gpg: directory `/home/vmuser1/.gnupg' created
gpg: new configuration file `/home/vmuser1/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/vmuser1/.gnupg/gpg.conf' are not yet active
during this run
gpg: keyring `/home/vmuser1/.gnupg/secring.gpg' created
gpg: keyring `/home/vmuser1/.gnupg/pubring.gpg' created
gpg: /home/vmuser1/.gnupg/trustdb.gpg: trustdb created
gpg: key 0C7C4F05: public key "Mark Dwayne Womack <[email protected]>" imported
gpg: key 7C037D42: public key "Yoav Shapira <[email protected]>" imported
gpg: key 2E114322: public key "Curt Arnold <[email protected]>" imported
gpg: key 70C9C3D0: public key "[email protected] (CODE SIGNING KEY)
<[email protected]>" imported
gpg: key 47C4113E: public key "Jacob Kjome <[email protected]>" imported
gpg: key 914A4D28: public key "Nicko Cadell <[email protected]>" imported
gpg: key B3D8E1BA: public key "Ralph Goers (CODE SIGNING KEY)
<[email protected]>" imported
gpg: key 42196CA8: public key "Christian Grobmeier (Apache Codesigning)
<[email protected]>" imported
gpg: key ED446286: public key "Nicholas Scott Williams (For signing NWTS Java
Code) <[email protected]>" imported
gpg: key A303D55F: public key "Nicholas Scott Williams (For ASF Code Signing
Purposes Only) <[email protected]>" imported
gpg: key A5CC90DB: public key "Christian Grobmeier <[email protected]>" imported
gpg: key 778C3033: public key "Thorsten Schöning <[email protected]>"
imported
gpg: key B095DD52: public key "Robert Middleton <[email protected]>"
imported
gpg: key FA1C814D: public key "Matt Sicker (Apache Software Foundation)
<[email protected]>" imported
gpg: key 0E682C9C: public key "Davyd McColl <[email protected]>" imported
gpg: key 5497A907: public key "Dominik Psenner <[email protected]>" imported
gpg: key C9BD368E: public key "Volkan Yazici (vy) <[email protected]>" imported
gpg: Total number processed: 17
gpg: imported: 17 (RSA: 10)
gpg: no ultimately trusted keys found
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ gpg --verify
apache-log4j-2.17.1-bin.tar.gz.asc
gpg: can't open `apache-log4j-2.17.1-bin.tar.gz.asc': No such file or directory
gpg: verify signatures failed: No such file or directory
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ gpg --verify
apache-log4j-2.17.1-bin.tar.gz first-run-install.sh first-run.sh
KEYS vmdi-install.log
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ wget
https://www.apache.org/dist/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.sha512
--2022-01-04 09:39:50--
https://www.apache.org/dist/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.sha512
Resolving www.apache.org (www.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to www.apache.org (www.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location:
https://downloads.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.sha512
[following]
--2022-01-04 09:39:51--
https://downloads.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.sha512
Resolving downloads.apache.org (downloads.apache.org)... 135.181.214.104,
88.99.95.219, 2a01:4f9:3a:2c57::2, ...
Connecting to downloads.apache.org
(downloads.apache.org)|135.181.214.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 128 [text/plain]
Saving to:
‘apache-log4j-2.17.1-bin.tar.gz.sha512’100%[================================================================================================================================>]
128 --.-K/s in 0s 2022-01-04 09:39:53 (5.82 MB/s) -
‘apache-log4j-2.17.1-bin.tar.gz.sha512’ saved
[128/128][vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ wget
https://www.apache.org/dist/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.asc
--2022-01-04 09:40:04--
https://www.apache.org/dist/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.asc
Resolving www.apache.org (www.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to www.apache.org (www.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location:
https://downloads.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.asc
[following]
--2022-01-04 09:40:05--
https://downloads.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz.asc
Resolving downloads.apache.org (downloads.apache.org)... 135.181.214.104,
88.99.95.219, 2a01:4f9:3a:2c57::2, ...
Connecting to downloads.apache.org
(downloads.apache.org)|135.181.214.104|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 866 [text/plain]
Saving to:
‘apache-log4j-2.17.1-bin.tar.gz.asc’100%[================================================================================================================================>]
866 --.-K/s in 0s 2022-01-04 09:40:06 (27.0 MB/s) -
‘apache-log4j-2.17.1-bin.tar.gz.asc’ saved
[866/866][vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ gpg --verify
apache-log4j-2.17.1-bin.tar.gz.asc
gpg: Signature made Mon 27 Dec 2021 04:29:29 PM MST using RSA key ID B62BABE8
gpg: BAD signature from "Matt Sicker (Apache Software Foundation)
<[email protected]>"
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ sha
sha1sum sha224sum sha256sum sha384sum sha512sum
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ sha512sum
apache-log4j-2.17.1-bin.tar.gz
303060faaa1f218cd9db5f4971bdb50da42a10431959087964b7b0588affaa3f83827b3fade3425fafe2712d20b9bcd97f22a53d67ede2b84e2d142e7d33eb19
apache-log4j-2.17.1-bin.tar.gz
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ cat apache-log4j-2.17.1-bin.tar.gz.
apache-log4j-2.17.1-bin.tar.gz.asc apache-log4j-2.17.1-bin.tar.gz.sha512
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ cat apache-log4j-2.17.1-bin.tar.gz.
apache-log4j-2.17.1-bin.tar.gz.asc apache-log4j-2.17.1-bin.tar.gz.sha512
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$ cat
apache-log4j-2.17.1-bin.tar.gz.sha512
b7e948df6c6f57d903d990de2cc0270c1537b711285e9b6b91280db6ace38418fced713785b2c20512dd9a4238c2d1d0ceb414d9936df2ca110ff14993ae04dc[vmuser1@vmdi-e8f4-adam-dalhed
Downloads]$
[vmuser1@vmdi-e8f4-adam-dalhed Downloads]$
{code}
> checksum and signature checks fail for 2.17.1 bin zip and tgz
> -------------------------------------------------------------
>
> Key: LOG4J2-3314
> URL: https://issues.apache.org/jira/browse/LOG4J2-3314
> Project: Log4j 2
> Issue Type: Bug
> Affects Versions: 2.17.1
> Reporter: Adam Dalhed
> Priority: Major
>
> The linked binary downloads on
> [https://logging.apache.org/log4j/2.x/download.html] fail the signature and
> sha512 checksums. I didn't check the src downloads. I had to download the
> binaries from the [main distribution
> directory|https://www.apache.org/dist/logging/] to pass the checks.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
