Hi Leo,

I didn't import the keys, as I had previously done this step...

But

I'm looking at a different file then you:
https://dist.apache.org/repos/dist/dev/incubator/netbeans/
incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-
beta-bin.zip(you)
https://dist.apache.org/repos/dist/dev/incubator/netbeans/
incubating-netbeans-java/incubating-9.0-beta-rc3/
incubating-netbeans-java-9.0-beta-bin.zip(me)

@Geertjan, the vote thread you referenced earlier, we voted on the link I
used - and got a good signature, so I think that's okay.  But the website
points to a different URL (The one Leo checked).  I suspect that the
website is using the wrong URL, but before I jump to that conclusion, just
curious after the successful vote would you have moved the artefact to the
location on the website?

Regards

John


On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com> wrote:

> Hi John,
>
> I noticed that you didn't issue:  gpg --import KEYS
>
> I tried again, using wget to download the binary zip file, same result.  I
> have also tried different mirrors.  I guess I will just build from source,
> I was just being lazy.
>
> (The --list-keys command illustrates I don't already have the KEYS file
> imported)
>
> leo@vmw01:~$ *gpg --list-keys*
> leo@vmw01:~$ *wget
> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
> <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>*
> --2018-03-07 18:40:53--  https://dist.apache.org/repos/
> dist/release/incubator/netbeans/KEYS
> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 7594 (7.4K) [text/plain]
> Saving to: ‘KEYS’
>
> KEYS                                  100%[=========================
> ==============================================>]   7.42K  --.-KB/s    in
> 0s
>
> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594]
>
> leo@vmw01:~$ *wget
> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc
> <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>*
> --2018-03-07 18:41:11--  https://dist.apache.org/repos/
> dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/
> incubating-netbeans-java-9.0-beta-bin.zip.asc
> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144
> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 819 [text/plain]
> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
>
> incubating-netbeans-java-9.0-beta-bin 100%[=========================
> ==============================================>]     819  --.-KB/s    in
> 0s
>
> 2018-03-07 18:41:11 (16.4 MB/s) - 
> ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’
> saved [819/819]
>
> leo@vmw01:~$ *wget
> http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip
> <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>*
> --2018-03-07 18:41:41--  http://apache.cs.utah.edu/
> incubator/netbeans/incubating-netbeans-java/incubating-9.0-
> beta/incubating-netbeans-java-9.0-beta-bin.zip
> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87
> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 167193685 (159M) [application/zip]
> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’
>
> incubating-netbeans-java-9.0-beta-bin 100%[=========================
> ==============================================>] 159.45M  8.14MB/s    in
> 31s
>
> 2018-03-07 18:42:12 (5.22 MB/s) - ‘incubating-netbeans-java-9.0-beta-bin.zip’
> saved [167193685/167193685]
>
> leo@vmw01:~$ *gpg --import KEYS*
> gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing Apache
> NetBeans & co. releases.) <jlah...@apache.org>" imported
> gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org (Key for
> signing Apache NetBeans & co. releases.) <geert...@apache.org>" imported
> gpg: Total number processed: 2
> gpg:               imported: 2
> leo@vmw01:~$ *gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc
> incubating-netbeans-java-9.0-beta-bin.zip*
> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
> gpg:                using RSA key B4C1940FEA9364F1
> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & co.
> releases.) <jlah...@apache.org>" [unknown]
> leo@vmw01:~$
>
>
> On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell <mcdonnell.j...@gmail.com>
> wrote:
>
>> I got something slightly different...
>>
>> I have a good signature when verifying the .asc file, but when I do an
>> md5 or sha1 check on the zip file I get different results as to whats
>> currently on the website:
>>
>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-
>> netbeans-java-9.0-beta-bin.zip
>> --2018-03-07 23:48:01--  https://dist.apache.org/repos/
>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat
>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip
>> Resolving dist.apache.org... 209.188.14.144
>> Connecting to dist.apache.org|209.188.14.144|:443... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 167193685 (159M) [application/octet-stream]
>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip'
>>
>> incubating-netbeans-java-9.0-beta-bin.zip
>> 100%[=======================================================
>> =========================================================>] 159.45M
>> 2.61MB/s   in 57s
>>
>> 2018-03-07 23:48:58 (2.80 MB/s) - 'incubating-netbeans-java-9.0-beta-bin.zip'
>> saved [167193685/167193685]
>>
>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget
>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-
>> netbeans-java-9.0-beta-bin.zip.asc
>> --2018-03-07 23:49:49--  https://dist.apache.org/repos/
>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat
>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc
>> Resolving dist.apache.org... 209.188.14.144
>> Connecting to dist.apache.org|209.188.14.144|:443... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 833 [text/plain]
>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc'
>>
>> incubating-netbeans-java-9.0-beta-bin.zip.asc
>> 100%[=======================================================
>> =========================================================>]     833
>> --.-KB/s   in 0s
>>
>> 2018-03-07 23:49:49 (18.9 MB/s) - 
>> 'incubating-netbeans-java-9.0-beta-bin.zip.asc'
>> saved [833/833]
>>
>> Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify
>> incubating-netbeans-java-9.0-beta-bin.zip.asc
>> incubating-netbeans-java-9.0-beta-bin.zip
>> gpg: Signature made Sun  4 Feb 13:57:10 2018 GMT
>> gpg:                using RSA key 51B0E375B4941714A809F90E13E9F7
>> AE3A4FD551
>> gpg: Good signature from "geert...@apache.org (Key for signing Apache
>> NetBeans & co. releases.) <geert...@apache.org>" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 51B0 E375 B494 1714 A809  F90E 13E9 F7AE 3A4F
>> D551
>>
>> Johns-MacBook-Pro-2:netbeans_sig_test john$ md5
>> incubating-netbeans-java-9.0-beta-bin.zip
>> MD5 (incubating-netbeans-java-9.0-beta-bin.zip) =
>> 05d71d0e2a9360b3402c6068425773db
>> Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum
>> incubating-netbeans-java-9.0-beta-bin.zip
>> 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b  incubating-netbeans-java-9.0-b
>> eta-bin.zip
>>
>> Regards
>>
>> John
>>
>> On 7 March 2018 at 23:12, Geertjan Wielenga <
>> geertjan.wiele...@googlemail.com> wrote:
>>
>>> Would be good if someone would verify this -- when I look at the VOTE
>>> thread, the source signatures have been verified:
>>>
>>> https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24
>>> e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E
>>>
>>> However, quite possibly the convenience binary signature has been
>>> checked -- since Apache releases source code and not binaries, which are
>>> optionally included for convenience only.
>>>
>>> Gj
>>>
>>> On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Is this the right list for this question?
>>>>
>>>> I'm trying to verify the PGP ASC and KEY file but I get a bad signature
>>>> message.
>>>>
>>>> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html
>>>>
>>>> In Terminal:
>>>> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in
>>>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea
>>>> ns-java-9.0-beta-bin.zip.asc
>>>>
>>>> wget https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS
>>>>
>>>> pgp --import KEYS
>>>>
>>>> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc
>>>> Downloads/incubating-netbeans-java-9.0-beta-bin.zip
>>>>
>>>>
>>>> output:
>>>>
>>>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST
>>>> gpg:                using RSA key B4C1940FEA9364F1
>>>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans &
>>>> co. releases.) <jlah...@apache.org>" [unknown]
>>>>
>>>> What did I forget to do?
>>>>
>>>
>>>
>>
>

Reply via email to