You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Francois Bertel <fr...@kitware.com> on 2005/10/25 21:46:04 UTC

[solved]Re: bad pgp signature and checksum on the distributed files.

Ok, I solved the issue myself...

I got confused by the name of the link on the download page
http://maven.apache.org/maven-1.x/start/download.html .

I first downloaded the checksum and PGP signatures by right clicking on
"checksum" and "PGP" and they were real files.

So, I did the same for ".tar.bz2 archive" and save the link:
http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.2.tar.bz2

I didn't catch the "cgi" word at first.

Fortunately, at some point, I left clicked "by mistake" on this link and a
mirror page showed up! So, I could download the right file and everything is
fine now.

It sounds like the joke of the day. :-)

Francois Bertel wrote:
> Hi,
> 
> It seems the distributed files of maven have wrong pgp signature and checksum.
> 
> I'm running Gentoo Linux on a x86 architecture.
> 
> I downloaded maven-1.0.2.tar.bz2 , md5 and asc files from this page:
> http://maven.apache.org/maven-1.x/start/download.html
> 
> First, I typed:
> 
> $ gpg --verify maven-1.0.2.tar.bz2.asc maven-1.0.2.tar.bz2
> 
> and I got:
> 
> gpg: Signature made Tue Dec  7 06:19:08 2004 EST using DSA key ID 084C9113
> gpg: Can't check signature: public key not found
> 
> So, I typed:
> $ gpg --keyserver pgp.mit.edu --recv-keys 084C9113
> 
> and I got:
> gpg: requesting key 084C9113 from hkp server pgp.mit.edu
> gpg: key 084C9113: duplicated user ID detected - merged
> gpg: key 084C9113: public key "Brett Porter <br...@apache.org>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1
> 
> Then, I tried again:
> $ gpg --verify maven-1.0.2.tar.bz2.asc maven-1.0.2.tar.bz2
> 
> and I got:
> gpg: Signature made Tue Dec  7 06:19:08 2004 EST using DSA key ID 084C9113
> gpg: BAD signature from "Brett Porter <br...@apache.org>"
> 
> 
> I also ran md5sum on the file:
> $ md5sum maven-1.0.2.tar.bz2
> I got:
> b8deac945380d76c27e60b1fc4711a8a  maven-1.0.2.tar.bz2
> which is different from:
> $ cat maven-1.0.2.tar.bz2.md5
> 81a6b4393e550635efe19e95cea38718
> 
> 
> I have the same issue with the .tar.gz file or with maven-2.0.
> 
> Any help appreciated.
> 
> 


-- 
François Bertel, PhD  | Kitware Inc. Suite 204
1 (518) 371 3971 x113 | 28 Corporate Drive
                      | Clifton Park NY 12065, USA

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org