Would be good if someone would verify this -- when I look at the VOTE thread, the source signatures have been verified:
https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E However, quite possibly the convenience binary signature has been checked -- since Apache releases source code and not binaries, which are optionally included for convenience only. Gj On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> wrote: > Hi, > > Is this the right list for this question? > > I'm trying to verify the PGP ASC and KEY file but I get a bad signature > message. > > I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html > > In Terminal: > wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/ > incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0- > beta-bin.zip.asc > > wget https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > > pgp --import KEYS > > gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc > Downloads/incubating-netbeans-java-9.0-beta-bin.zip > > > output: > > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > gpg: using RSA key B4C1940FEA9364F1 > gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & co. > releases.) <jlah...@apache.org>" [unknown] > > What did I forget to do? >
