You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "STEPHEN DURHAM (JIRA)" <ji...@apache.org> on 2016/06/13 16:05:21 UTC
[jira] [Created] (TIKA-2003) Tika 1.13 gpg signature not
validating.
STEPHEN DURHAM created TIKA-2003:
------------------------------------
Summary: Tika 1.13 gpg signature not validating.
Key: TIKA-2003
URL: https://issues.apache.org/jira/browse/TIKA-2003
Project: Tika
Issue Type: Bug
Reporter: STEPHEN DURHAM
I am using Tika via the logicalspark/docker-tikaserver instance and I noticed that the latest update to 1.13 failed the build process for the docker instance due to a bad signature. I took some steps outlined below to make sure that this was actually an issue before submitting the ticket.
There is a related issue from a few years back, same RSA key 0EB30B07. The ticket is 1345.
Thanks in advance for any assistance with this issue.
-Stephen
First I tested with the Docker instance. I cloned the logicalspark/docker-tikaserver repo and attempted the docker build locally. The build encountered the following error:
{noformat}
gpg: Signature made Mon May 9 17:34:48 2016 UTC using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}
I then tested locally. With no keys other than those contained in tika.asc
{noformat}
wget https://people.apache.org/keys/group/tika.asc
wget http://apache.mirrors.tds.net/tika/tika-server-1.13.jar
wget https://www.apache.org/dist/tika/tika-server-1.13.jar.asc
{noformat}
Then I verified the MD5 sum matches the download page.
{noformat}
md5 tika-server-1.13.jar
MD5 (tika-server-1.13.jar) = 155bec7b7cb25b22effa99db1fb8e233
{noformat}
Next I verified the signature following the steps on the download page.
1. Import the Keys.
{noformat}
gpg --import tika.asc
gpg: /Users/stephen/.gnupg/trustdb.gpg: trustdb created
gpg: key B876884A: public key "Chris Mattmann (CODE SIGNING KEY)" imported
gpg: key 6ED9BE21: public key "Bob Paulin (CODE SIGNING KEY)" imported
gpg: key 0890B1AB: public key "Konstantin Gribov (gross)" imported
gpg: key 6E68DA61: public key "Michael McCandless (CODE SIGNING KEY)" imported
gpg: key A355A63E: public key "Jukka Zitting" imported
gpg: key 8A26D9A6: public key "Jukka Zitting" imported
gpg: key 42CFAE07: public key "Jukka Zitting (CODE SIGNING KEY)" imported
gpg: key 95D21F2E: public key "Ray Gauss II (CODE SIGNING KEY)" imported
gpg: key D4F10117: public key "Tyler Palsulich" imported
gpg: key DEDEAB92: public key "Sergey Beryozkin (Release Management)" imported
gpg: key 97EDDE66: public key "tallison (apache_distro_keys)" imported
gpg: key 48BAEBF6: public key "Lewis John McGibbney (CODE SIGNING KEY)" imported
gpg: key D84E41AE: public key "Nick Burch" imported
gpg: Total number processed: 13
gpg: imported: 13 (RSA: 8)
gpg: no ultimately trusted keys found
{noformat}
2. Verify the signature.
{noformat}
gpg --verify tika-server-1.13.jar.asc
gpg: assuming signed data in `tika-server-1.13.jar'
gpg: Signature made Mon May 9 12:34:48 2016 CDT using RSA key ID 0EB30B07
gpg: Can't check signature: public key not found
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)