Would be good if someone would verify this -- when I look at the VOTE
thread, the source signatures have been verified:
However, quite possibly the convenience binary signature has been checked
-- since Apache releases source code and not binaries, which are optionally
included for convenience only.
On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> wrote:
> Is this the right list for this question?
> I'm trying to verify the PGP ASC and KEY file but I get a bad signature
> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html
> In Terminal:
> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/
> wget https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
> pgp --import KEYS
> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc
> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
> gpg: using RSA key B4C1940FEA9364F1
> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & co.
> releases.) <jlah...@apache.org>" [unknown]
> What did I forget to do?