You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by "Malcolm Allison [CASS]" <Ma...@cass.govt.nz> on 2016/09/06 05:02:29 UTC

Bad signature in 6.2.0?

Hi,

Today I downloaded Solr 6.2.0 from apache.org along with the keys and MD5

~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/KEYS
~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.asc
~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz
~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.md5

I imported the keys and attempted to verify...

~# gpg --import KEYS
~# gpg --verify solr-6.2.0.zip.asc solr-6.2.0.tgz

But got the following error...

gpg: Signature made Sat 20 Aug 2016 21:42:56 NZST using DSA key ID 6E68DA61 gpg: BAD signature from "Michael McCandless (CODE SIGNING KEY)

I have downloaded again from another machine with the same result. Is there a problem with the signing of this package? I am hesitant to install it on our servers in this state.


Regards,
Malcolm.



[UNCLASSIFIED]


--
                             CONFIDENTIALITY NOTICE
The information in this email is confidential to the Treasury, intended only for the addressee(s), and may also be legally privileged.  If you are not an intended addressee:
a.  please immediately delete this email and notify the Treasury by return email or telephone (64 4 472 2733);
b.  any use, dissemination or copying of this email is strictly prohibited and may be unlawful.

Re: Bad signature in 6.2.0?

Posted by Chris Hostetter <ho...@fucit.org>.

: 
: I imported the keys and attempted to verify...
: 
: ~# gpg --import KEYS
: ~# gpg --verify solr-6.2.0.zip.asc solr-6.2.0.tgz
: 
: But got the following error...

you're attempting to verify the signature of the ZIP file against the TAR 
GZIP file.


-Hoss
http://www.lucidworks.com/

Re: Bad signature in 6.2.0?

Posted by Shawn Heisey <ap...@elyograg.org>.

On 9/5/2016 11:02 PM, Malcolm Allison [CASS] wrote:
> Today I downloaded Solr 6.2.0 from apache.org along with the keys and MD5
>
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/KEYS
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.asc
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.md5
>
> I imported the keys and attempted to verify...
>
> ~# gpg --import KEYS
> ~# gpg --verify solr-6.2.0.zip.asc solr-6.2.0.tgz
>
> But got the following error...
>
> gpg: Signature made Sat 20 Aug 2016 21:42:56 NZST using DSA key ID 6E68DA61 gpg: BAD signature from "Michael McCandless (CODE SIGNING KEY)
>
> I have downloaded again from another machine with the same result. Is there a problem with the signing of this package? I am hesitant to install it on our servers in this state.

Does the md5sum check out?

Here's what I did, and found that the signature verifies:

root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/KEYS
root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz
root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz.asc

root@sauron:~/asf# gpg --import KEYS
<snip>
root@sauron:~/asf# gpg --verify solr-6.2.0.tgz.asc
gpg: assuming signed data in `solr-6.2.0.tgz'
gpg: Signature made Sat 20 Aug 2016 03:42:55 AM MDT using DSA key ID
6E68DA61
gpg: Good signature from "Michael McCandless (CODE SIGNING KEY)
<mi...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 2C72 EB13 9773 3A55 1DDB  60CC F119 941F 6E68 DA61

I was also able to verify the zip version.

root@sauron:~/asf# gpg --verify solr-6.2.0.zip.asc
gpg: assuming signed data in `solr-6.2.0.zip'
gpg: Signature made Sat 20 Aug 2016 03:42:56 AM MDT using DSA key ID
6E68DA61
gpg: Good signature from "Michael McCandless (CODE SIGNING KEY)
<mi...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 2C72 EB13 9773 3A55 1DDB  60CC F119 941F 6E68 DA61

The first thing that comes to mind is that maybe you've got a broken
version of wget that is not downloading correctly.

Thanks,
Shawn

RE: Bad signature in 6.2.0?

Posted by "Malcolm Allison [CASS]" <Ma...@cass.govt.nz>.

[UNCLASSIFIED]

Bingo!

Downloaded the correct .asc and .md5 files for the tgz version and they now verify. I feel a bit dumb.


Thanks a lot for the help,
Malcolm.
-----Original Message-----
From: Chris Hostetter [mailto:hossman_lucene@fucit.org] 
Sent: Thursday, 8 September 2016 7:06 AM
To: solr-user@lucene.apache.org
Subject: Re: Bad signature in 6.2.0?

: 
: I imported the keys and attempted to verify...
: 
: ~# gpg --import KEYS
: ~# gpg --verify solr-6.2.0.zip.asc solr-6.2.0.tgz
: 
: But got the following error...

you're attempting to verify the signature of the ZIP file against the TAR GZIP file.


-Hoss
http://www.lucidworks.com/


--
                             CONFIDENTIALITY NOTICE
The information in this email is confidential to the Treasury, intended only for the addressee(s), and may also be legally privileged.  If you are not an intended addressee:
a.  please immediately delete this email and notify the Treasury by return email or telephone (64 4 472 2733);
b.  any use, dissemination or copying of this email is strictly prohibited and may be unlawful.