Apologies for the spam, cross posting to dev. @Antonio, do you know if the link on the website for NetBeans 9.0 Beta is correct? Looking at this thread, the signature doesn't match the RC3.0 thread we voted on. If we have a small typo we should try to catch this early in the NetCat phase.
Regards John On 8 March 2018 at 07:47, John McDonnell <mcdonnell.j...@gmail.com> wrote: > Hi Leo, > > I didn't import the keys, as I had previously done this step... > > But > > I'm looking at a different file then you: > https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > cubating-netbeans-java/incubating-9.0-beta/incubating- > netbeans-java-9.0-beta-bin.zip(you) > https://dist.apache.org/repos/dist/dev/incubator/netbeans/in > cubating-netbeans-java/incubating-9.0-beta-rc3/incubating- > netbeans-java-9.0-beta-bin.zip(me) > > @Geertjan, the vote thread you referenced earlier, we voted on the link I > used - and got a good signature, so I think that's okay. But the website > points to a different URL (The one Leo checked). I suspect that the > website is using the wrong URL, but before I jump to that conclusion, just > curious after the successful vote would you have moved the artefact to > the location on the website? > > Regards > > John > > > On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com> wrote: > >> Hi John, >> >> I noticed that you didn't issue: gpg --import KEYS >> >> I tried again, using wget to download the binary zip file, same result. >> I have also tried different mirrors. I guess I will just build from >> source, I was just being lazy. >> >> (The --list-keys command illustrates I don't already have the KEYS file >> imported) >> >> leo@vmw01:~$ *gpg --list-keys* >> leo@vmw01:~$ *wget >> https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS >> <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>* >> --2018-03-07 18:40:53-- https://dist.apache.org/repos/ >> dist/release/incubator/netbeans/KEYS >> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 >> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... >> connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 7594 (7.4K) [text/plain] >> Saving to: ‘KEYS’ >> >> KEYS 100%[========================= >> ==============================================>] 7.42K --.-KB/s in >> 0s >> >> 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] >> >> leo@vmw01:~$ *wget >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc >> <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>* >> --2018-03-07 18:41:11-- https://dist.apache.org/repos/ >> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >> ing-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc >> Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 >> Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... >> connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 819 [text/plain] >> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ >> >> incubating-netbeans-java-9.0-beta-bin 100%[========================= >> ==============================================>] 819 --.-KB/s in >> 0s >> >> 2018-03-07 18:41:11 (16.4 MB/s) - >> ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ >> saved [819/819] >> >> leo@vmw01:~$ *wget >> http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip >> <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>* >> --2018-03-07 18:41:41-- http://apache.cs.utah.edu/incu >> bator/netbeans/incubating-netbeans-java/incubating-9.0-beta/ >> incubating-netbeans-java-9.0-beta-bin.zip >> Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87 >> Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80... >> connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 167193685 (159M) [application/zip] >> Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ >> >> incubating-netbeans-java-9.0-beta-bin 100%[========================= >> ==============================================>] 159.45M 8.14MB/s in >> 31s >> >> 2018-03-07 18:42:12 (5.22 MB/s) - ‘incubating-netbeans-java-9.0-beta-bin.zip’ >> saved [167193685/167193685] >> >> leo@vmw01:~$ *gpg --import KEYS* >> gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing Apache >> NetBeans & co. releases.) <jlah...@apache.org>" imported >> gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org (Key for >> signing Apache NetBeans & co. releases.) <geert...@apache.org>" imported >> gpg: Total number processed: 2 >> gpg: imported: 2 >> leo@vmw01:~$ *gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc >> incubating-netbeans-java-9.0-beta-bin.zip* >> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >> gpg: using RSA key B4C1940FEA9364F1 >> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & >> co. releases.) <jlah...@apache.org>" [unknown] >> leo@vmw01:~$ >> >> >> On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell <mcdonnell.j...@gmail.com> >> wrote: >> >>> I got something slightly different... >>> >>> I have a good signature when verifying the .asc file, but when I do an >>> md5 or sha1 check on the zip file I get different results as to whats >>> currently on the website: >>> >>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne >>> tbeans-java-9.0-beta-bin.zip >>> --2018-03-07 23:48:01-- https://dist.apache.org/repos/ >>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip >>> Resolving dist.apache.org... 209.188.14.144 >>> Connecting to dist.apache.org|209.188.14.144|:443... connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 167193685 (159M) [application/octet-stream] >>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' >>> >>> incubating-netbeans-java-9.0-beta-bin.zip >>> 100%[======================================================= >>> =========================================================>] 159.45M >>> 2.61MB/s in 57s >>> >>> 2018-03-07 23:48:58 (2.80 MB/s) - >>> 'incubating-netbeans-java-9.0-beta-bin.zip' >>> saved [167193685/167193685] >>> >>> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >>> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating-ne >>> tbeans-java-9.0-beta-bin.zip.asc >>> --2018-03-07 23:49:49-- https://dist.apache.org/repos/ >>> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >>> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc >>> Resolving dist.apache.org... 209.188.14.144 >>> Connecting to dist.apache.org|209.188.14.144|:443... connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 833 [text/plain] >>> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >>> >>> incubating-netbeans-java-9.0-beta-bin.zip.asc >>> 100%[======================================================= >>> =========================================================>] 833 >>> --.-KB/s in 0s >>> >>> 2018-03-07 23:49:49 (18.9 MB/s) - >>> 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >>> saved [833/833] >>> >>> Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify >>> incubating-netbeans-java-9.0-beta-bin.zip.asc >>> incubating-netbeans-java-9.0-beta-bin.zip >>> gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT >>> gpg: using RSA key 51B0E375B4941714A809F90E13E9F7 >>> AE3A4FD551 >>> gpg: Good signature from "geert...@apache.org (Key for signing Apache >>> NetBeans & co. releases.) <geert...@apache.org>" [unknown] >>> gpg: WARNING: This key is not certified with a trusted signature! >>> gpg: There is no indication that the signature belongs to the >>> owner. >>> Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 F7AE 3A4F >>> D551 >>> >>> Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 >>> incubating-netbeans-java-9.0-beta-bin.zip >>> MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = >>> 05d71d0e2a9360b3402c6068425773db >>> Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum >>> incubating-netbeans-java-9.0-beta-bin.zip >>> 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b incubating-netbeans-java-9.0-b >>> eta-bin.zip >>> >>> Regards >>> >>> John >>> >>> On 7 March 2018 at 23:12, Geertjan Wielenga < >>> geertjan.wiele...@googlemail.com> wrote: >>> >>>> Would be good if someone would verify this -- when I look at the VOTE >>>> thread, the source signatures have been verified: >>>> >>>> https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24 >>>> e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E >>>> >>>> However, quite possibly the convenience binary signature has been >>>> checked -- since Apache releases source code and not binaries, which are >>>> optionally included for convenience only. >>>> >>>> Gj >>>> >>>> On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Is this the right list for this question? >>>>> >>>>> I'm trying to verify the PGP ASC and KEY file but I get a bad >>>>> signature message. >>>>> >>>>> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html >>>>> >>>>> In Terminal: >>>>> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>>>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea >>>>> ns-java-9.0-beta-bin.zip.asc >>>>> >>>>> wget https://dist.apache.org/repos/dist/release/incubator/netbean >>>>> s/KEYS >>>>> >>>>> pgp --import KEYS >>>>> >>>>> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc >>>>> Downloads/incubating-netbeans-java-9.0-beta-bin.zip >>>>> >>>>> >>>>> output: >>>>> >>>>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >>>>> gpg: using RSA key B4C1940FEA9364F1 >>>>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & >>>>> co. releases.) <jlah...@apache.org>" [unknown] >>>>> >>>>> What did I forget to do? >>>>> >>>> >>>> >>> >> >
