You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ant.apache.org by Aaron Tovo <aa...@tovo.net> on 2008/03/13 08:48:08 UTC
"gpg: BAD signature" on Ant download
I found a bad signature in the ant repository:
Computer:~ $ gpg --verify apache-ant-1.7.0-bin.zip.asc apache-
ant-1.7.0-bin.zip
gpg: Signature made Wed Dec 13 04:33:32 2006 PST using DSA key ID
265B4C63
gpg: BAD signature from "Antoine Levy-Lambert (Apache Ant Committer)
<an...@apache.org>"
A similar file in the same repository has a good sig (with a warning)
from the same person:
Computer:~ $ gpg --verify ant-current-bin.zip.asc /Applications/ant-
current-bin.zip
gpg: Signature made Wed Dec 13 04:33:32 2006 PST using DSA key ID
265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
<an...@apache.org>"
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer)
<an...@antbuild.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to
the owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB
265B 4C63
Interestingly, a file had the same problem with the same signature a
year and a half ago: http://marc.info/?l=ant-dev&m=115432289117424&w=2
Is this a problem that a lot of people have run into?
Aaron
Seattle, USA
Re: "gpg: BAD signature" on Ant download
Posted by Stefan Bodewig <bo...@apache.org>.
On Thu, 13 Mar 2008, Aaron Tovo <aa...@tovo.net> wrote:
> I found a bad signature in the ant repository:
>
> Computer:~ $ gpg --verify apache-ant-1.7.0-bin.zip.asc apache-
> ant-1.7.0-bin.zip
> gpg: Signature made Wed Dec 13 04:33:32 2006 PST using DSA key ID
> 265B4C63
> gpg: BAD signature from "Antoine Levy-Lambert (Apache Ant Committer)
> <an...@apache.org>"
I just grabbed the ZIP from Apache's main site as well as Antoine's
signature of it:
stefan@v30161:/tmp> wget http://www.apache.org/dist/ant/binaries/apache-ant-1.7.0-bin.zip.asc
--13:54:09-- http://www.apache.org/dist/ant/binaries/apache-ant-1.7.0-bin.zip.asc
=> `apache-ant-1.7.0-bin.zip.asc'
Resolving www.apache.org... 140.211.11.130
Connecting to www.apache.org|140.211.11.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 186 [text/plain]
100%[====================================>] 186 --.--K/s
13:54:10 (14.78 MB/s) - `apache-ant-1.7.0-bin.zip.asc' saved [186/186]
stefan@v30161:/tmp> gpg --verify apache-ant-1.7.0-bin.zip.asc
gpg: Signature made Wed 13 Dec 2006 01:33:32 PM CET using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) <an...@apache.org>"
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) <an...@antbuild.com>"
So the signature is good.
Do you remember which mirror you used to download the file from?
Maybe the file got damaged during the transfer or the mirror got
currupted.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org