I tried downloading Tika from https://tika.apache.org/download.html, but the checksums are not correct. Best case scenario: A misconfiguration. Worst case: something malicious. The checksum/PPG data is shown below.
The jars I downloaded can be found here: https://mega.nz/#!x6QmHbiQ!ADzzEYgiNZ-nJqBHyMT8GVGP34-MNtG3et3NDqlaJ4w === sha1 Actual: e97e1ea51fdb93ad7e0edd4e2e28cb7bd36ee0ab tika-app-1.16.jar e1b1b108fac5e0fc7e3995cddb39d10edd85b829 tika-eval-1.16.jar ae4cda8420a9a24f0807b8ae9bd5d3dd94b69d86 tika-server-1.16.jar e06f73bb7c1a281e88d4ddb2f7026727a3bc106f tika-1.16-src.zip === sha1 Expected (as written in https://tika.apache.org/download.html) cd0e68e795c513f317cf70759129f16bbd04822a tika-app-1.16.jar 71461f9746894811cfcd683d1f444e683a7ae89a tika-eval-1.16.jar 70a9ad2cca397ad1309bd65b9150ae8f6fadb407 tika-server-1.16.jar e6884af0209ace42bf0b9b59d72c3c5a0052055e tika-1.16-src.zip === md5 actual: 64e410ecabaecf302389042ef1ff76cb tika-1.16-src.zip fb1eab62e243bec62e4e4d4958b155a2 tika-app-1.16.jar bd4609f3769fd400bdb7dd7ea3af3d23 tika-eval-1.16.jar ccc92bc8a42ed54b877ec3c23dddac2c tika-server-1.16.jar === md5 Expected (as written in https://tika.apache.org/download.html) 33db4056ea44b34f95b7b7cb98c0ea06 tika-app-1.16.jar c5472760c287f2c6d54f88b1f90279de tika-eval-1.16.jar 6a549ce6ef6e186e019766059fd82fb2 tika-server-1.16.jar 4ec3bba071fcb1ee1e5b1311953c960e tika-1.16-src.zip === GPG status: gpg: assuming signed data in 'tika-1.16-src.zip' gpg: Signature made Sat 08 Jul 2017 05:27:42 AM +03 gpg: using RSA key E4032DC4EF0CF38A gpg: BAD signature from "Tim Allison (ASF signing key) <[email protected]>" [unknown] gpg: assuming signed data in 'tika-app-1.16.jar' gpg: Signature made Sat 08 Jul 2017 05:13:16 AM +03 gpg: using RSA key E4032DC4EF0CF38A gpg: BAD signature from "Tim Allison (ASF signing key) <[email protected]>" [unknown] gpg: assuming signed data in 'tika-eval-1.16.jar' gpg: Signature made Sat 08 Jul 2017 05:20:17 AM +03 gpg: using RSA key E4032DC4EF0CF38A gpg: BAD signature from "Tim Allison (ASF signing key) <[email protected]>" [unknown] gpg: assuming signed data in 'tika-server-1.16.jar' gpg: Signature made Sat 08 Jul 2017 05:17:53 AM +03 gpg: using RSA key E4032DC4EF0CF38A gpg: BAD signature from "Tim Allison (ASF signing key) <[email protected]>" [unknown] GPG certs were obtained from: https://people.apache.org/keys/group/tika.asc tika.asc sha256: b2f5924315c00cc32e6c1334037f00822f2b9af1696a504562f5547faf1cfa1c
