You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-user@james.apache.org by Dean Ashby <d....@alchemy.co.nz> on 2012/06/28 04:48:43 UTC

Problem with GPG verifiction of Release james-binary-2.3.2.tar.gz

Hi,

I've downloaded the following files from the main Apache FTP server:

   http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz
http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz.asc
   http://www.apache.org/dist/james/KEYS

And tried verifying the signature for the download using:

gpg --import KEYS
gpg --verify apache-james-2.3.2.tar.gz.asc
gpg: Signature made Tue 11 Aug 2009 08:35:01 NZST using RSA key ID A6EE6908
gpg: Can't check signature: public key not found

This doesn't look good!

Looking through the KEYS file there doesn't appear to be a key for A6EE6908

Fetching the key from pgpkeys.mit.edu produces the following:

gpg --keyserver pgpkeys.mit.edu --recv-key A6EE6908
gpg: requesting key A6EE6908 from hkp server pgpkeys.mit.edu
gpg: key A6EE6908: public key "Robert Burrell Donkin (CODE SIGNING KEY) 
<rd...@apache.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


And the fingerprint looks like this:

gpg --fingerprint A6EE6908
pub   8192R/A6EE6908 2009-08-07
       Key fingerprint = 597C 729B 0237 1932 E77C  B9D5 EDB8 C082 A6EE 6908
uid                  Robert Burrell Donkin (CODE SIGNING KEY) 
<rd...@apache.org>
sub   8192R/B800EFC1 2009-08-07

Robert Burrell Donkin does show up in the KEYS file but with a different 
key (B1313DE2).

Is there something dodgy going on here or is there a problem with the 
key used to sign the download?  It looks like Robert Donkin may have two 
keys and has used the wrong one to sign the .tgz archive?

Regards,

Dean




-- 
------------------------------------------------------------------------
ALCHEMY
Purpose Built Software

*Dean Ashby *
Senior Software Engineer

118 Wrights Road, PO Box 2386, Christchurch 8140, New Zealand
Telephone +64 3 281 8166 ext 763
Mobile +64 21 388 414
Facsimile +64 3 338 0420

Email d.ashby@alchemy.co.nz

Re: Problem with GPG verifiction of Release james-binary-2.3.2.tar.gz

Posted by Eric Charles <er...@apache.org>.

Hi Dean,

I tried to check and felt also in the issue, with following comment:
- the file name is apache-james-2.3.2.tar.gz (not james-binary-2.3.2.tar.gz)
- was not able to connect to mit.edu from my current location, so 
couldn't test with the key download from mit.

Maybe Robert can have a look an update the KEY file.

Thx, Eric


On 06/28/2012 04:48 AM, Dean Ashby wrote:
> Hi,
>
> I've downloaded the following files from the main Apache FTP server:
>
> http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz
> http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz.asc
> http://www.apache.org/dist/james/KEYS
>
> And tried verifying the signature for the download using:
>
> gpg --import KEYS
> gpg --verify apache-james-2.3.2.tar.gz.asc
> gpg: Signature made Tue 11 Aug 2009 08:35:01 NZST using RSA key ID A6EE6908
> gpg: Can't check signature: public key not found
>
> This doesn't look good!
>
> Looking through the KEYS file there doesn't appear to be a key for A6EE6908
>
> Fetching the key from pgpkeys.mit.edu produces the following:
>
> gpg --keyserver pgpkeys.mit.edu --recv-key A6EE6908
> gpg: requesting key A6EE6908 from hkp server pgpkeys.mit.edu
> gpg: key A6EE6908: public key "Robert Burrell Donkin (CODE SIGNING KEY)
> <rd...@apache.org>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: imported: 1 (RSA: 1)
>
>
> And the fingerprint looks like this:
>
> gpg --fingerprint A6EE6908
> pub 8192R/A6EE6908 2009-08-07
> Key fingerprint = 597C 729B 0237 1932 E77C B9D5 EDB8 C082 A6EE 6908
> uid Robert Burrell Donkin (CODE SIGNING KEY) <rd...@apache.org>
> sub 8192R/B800EFC1 2009-08-07
>
> Robert Burrell Donkin does show up in the KEYS file but with a different
> key (B1313DE2).
>
> Is there something dodgy going on here or is there a problem with the
> key used to sign the download? It looks like Robert Donkin may have two
> keys and has used the wrong one to sign the .tgz archive?
>
> Regards,
>
> Dean
>
>
>
>
> --
> ------------------------------------------------------------------------
> ALCHEMY
> Purpose Built Software
>
> *Dean Ashby *
> Senior Software Engineer
>
> 118 Wrights Road, PO Box 2386, Christchurch 8140, New Zealand
> Telephone +64 3 281 8166 ext 763
> Mobile +64 21 388 414
> Facsimile +64 3 338 0420
>
> Email d.ashby@alchemy.co.nz
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org

-- 
eric | http://about.echarles.net | @echarles

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org