I just downloaded apache-maven-3.0.4-bin.tar.gz (and its checksum and
signature) and can't verify the signature. I grabbed KEYS from
http://www.apache.org/dist/maven/KEYS and:
$ gpg --import KEYS
...
gpg: Total number processed: 42
gpg: imported: 41 (RSA: 4)
gpg: unchanged: 1
gpg: no ultimately trusted keys found
$ gpg --verify apache-maven-3.0.4-bin.tar.gz.asc
apache-maven-3.0.4-bin.tar.gz
gpg: Signature made Tue 17 Jan 2012 03:47:55 AM EST using DSA key ID
B4372146
gpg: BAD signature from "Olivier Lamy <[email protected]>"
The md5 checksum also doesn't match. I get
$ md5sum apache-maven-3.0.4-bin.tar.gz
bc6559d120933c27534200d7dc9e0d39 apache-maven-3.0.4-bin.tar.gz
and the download page says e513740978238cb9e4d482103751f6b7
Obviously I'm not using this tarball until I know what's up! Whose
mistake and/or compromise?
Jay Scott
http://satirist.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
