You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ant.apache.org by bu...@apache.org on 2015/11/27 21:52:40 UTC

[Bug 58664] New: Binary distributions fail GnuPG integrity verification check

https://bz.apache.org/bugzilla/show_bug.cgi?id=58664

            Bug ID: 58664
           Summary: Binary distributions fail GnuPG integrity verification
                    check
           Product: Ant
           Version: 1.9.6
          Hardware: Macintosh
            Status: NEW
          Severity: major
          Priority: P2
         Component: Other
          Assignee: notifications@ant.apache.org
          Reporter: scott@websharpstudios.com

Created attachment 33306
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33306&action=edit
ASC and KEYS file downloaded from the root.  Tar downloaded from mirror
http://apache.mirrors.tds.net/.

In Mac Terminal:

brew install gnupg
==> Downloading ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.19.tar.bz2

curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes
received
Trying a mirror...
==> Downloading
https://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/g
######################################################################## 100.0%
==> ./configure --disable-silent-rules --prefix=/usr/local/Cellar/gnupg/1.4.19
-
==> make
==> make check
==> make install

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 58664] Binary distributions fail GnuPG integrity verification check

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58664

--- Comment #2 from SCOTT WEEDEN <sc...@websharpstudios.com> ---
dev:desktop scott$ gpg --verify apache-ant-1.9.6-bin.tar.gz.asc
gpg: assuming signed data in `apache-ant-1.9.6-bin.tar.gz'
gpg: Signature made Mon Jun 29 01:00:07 2015 EDT using DSA key ID 5F6B8B72
gpg: Good signature from "Stefan Bodewig <bo...@apache.org>"
gpg:                 aka "Stefan Bodewig <st...@freenet.de>"
gpg:                 aka "Stefan Bodewig <st...@samaflost.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CE80 75A2 5154 7BEE 249B  C151 A211 5AE1 5F6B 8B72

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 58664] Binary distributions fail GnuPG integrity verification check

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58664

Stefan Bodewig <bo...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Stefan Bodewig <bo...@apache.org> ---
It doesn't fail the integrity check at all

> gpg: Good signature from "Stefan Bodewig <bo...@apache.org>"

what gpg tells you with 

> WARNING: This key is not certified with a trusted signature!

is there is no path of trust between you and my PDP key.  I.e. you haven't told
your gpg installation you'd trust the signature of anybody (not even
transitively) who has signed my key.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 58664] Binary distributions fail GnuPG integrity verification check

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58664

SCOTT WEEDEN <sc...@websharpstudios.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from SCOTT WEEDEN <sc...@websharpstudios.com> ---
dev:desktop scott$ gpg --import KEYS
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see https://gnupg.org/faq/weak-digest-algos.html for more
information
gpg: key FEECAAED: "Stefan Bodewig <bo...@apache.org>" not changed
gpg: key 51898504: "Conor MacNeill <co...@cortexebusiness.com.au>" not changed
gpg: key 697ECEDD: "Henri Gomez <hg...@slib.fr>" not changed
gpg: key 397DCAD5: "Henri Gomez <hg...@users.sourceforge.net>" not changed
gpg: key 307A10A5: "Henri Gomez <hg...@users.sourceforge.net>" not changed
gpg: key EDF62C35: "Magesh Umasankar <um...@apache.org>" not changed
gpg: key 5F6B8B72: "Stefan Bodewig <bo...@apache.org>" not changed
gpg: key C152431A: "Steve Loughran <st...@apache.org>" not changed
gpg: key AA0077B0: "Kev Jackson (apache key) <ke...@apache.org>" not changed
gpg: key DE8884A0: "Xavier Hanin <xa...@gmail.com>" not changed
gpg: key B80602AE: "Maarten Coene (CODE SIGNING KEY) <ma...@apache.org>" not
changed
gpg: key 3B7C75B1: "Gilles Scokart (at apache) <gs...@apache.org>" not
changed
gpg: key 7BF8BE8E: "Nicolas Lalevée <ni...@hibnet.org>" not changed
gpg: key 971731FB: "Nicolas Lalevée <ni...@hibnet.org>" not changed
gpg: key 9711DBFC: "Jon Schneider <js...@apache.org>" not changed
gpg: key 265B4C63: "Antoine Levy-Lambert (Apache Ant Committer)
<an...@apache.org>" not changed
gpg: key 710038F5: "Antoine Levy-Lambert (CODE SIGNING KEY)
<an...@apache.org>" not changed
gpg: key 82A7FBCD: "Antoine Levy-Lambert (CODE SIGNING KEY)
<an...@apache.org>" not changed
gpg: Total number processed: 18
gpg:              unchanged: 18

-- 
You are receiving this mail because:
You are the assignee for the bug.