You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ant.apache.org by Antoine Lévy-Lambert <an...@antbuild.com> on 2004/02/01 17:16:20 UTC

Re: Fwd: Ant 1.6.0 download security confusion

Funguitar@aol.com wrote:

>Antoine,
>
>When I awoke this morning I thought I should send this to you too.
>
>Hope this helps, 
>
>Frank
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Ant 1.6.0 download security confusion
> From:
> Funguitar@aol.com
> Date:
> Sun, 01 Feb 2004 02:40:02 -0500
> To:
> security@apache.org
>
> To:
> security@apache.org
>
>
>Hello, 
>
>I went to download the latest Ant release on 1/31/04 at about 10:30 PST. From the apache distribution site, I downloaded the KEYS file and the pgp armored file, these two specifically
>http://www.apache.org/dist/ant/KEYS
>http://www.apache.org/dist/ant/ant-current-bin.zip.asc
>
>Then I imported KEYS into pgp on my system (windows 2000)
>Next I did, pgp ant-current-bin.zip.asc to verify it.
>pgp does not like what it found.
>The warning messages say, 
>File 'ant-current-bin.zip.asc' has signature, but with no text.
>Text is assumed to be i file 'ant-current-bin.zip'.
>WARNING: Bad signature, doesn't match file contents!
>
>Bad signature from user "Antoine Levy-Lambert (Apache Ant Committer) <an...@antbuild.com>".
>
>  
>
You probably need to have also downloade the ant-current-bin.zip before 
you check the ant-current-bin.zip.asc

>I then downloaded from these two urls 
>http://apache.webmeta.com/ant/binaries/apache-ant-1.6.0-bin.zip
>http://www.apache.org/dist/ant/binaries/apache-ant-1.6.0-bin.zip.asc
>
>Then did pgp apache-ant-1.6.0-bin.zip.asc
>The results was,
>File 'apache-ant-1.6.0-bin.zip.asc' has signature, but with no text.
>Text is assumed to be i file 'apache-ant-1.6.0-bin.zip'.
>Good signature from user "Antoine Levy-Lambert (Apache Ant Committer) <an...@antbuild.com>".
>Signature made 2003/12/18 20:27 GMT
>
>WARNING: Because this public key is not certified with a trusted
>signature, it is not known with high confidence that this public key
>actually belongs to "Antoine Levy-Lambert (Apache Ant Committer) <an...@antbuild.com>".
>
>  
>
My public key has been signed by Stefan Bodewig. I do not know what is a 
trusted signature in the sense of pgp.

>I am using PGP 6.5.8 which I downloaded from MIT tonight specifically to do this check, especially because the Apache Ant website suggested so strongly that I use the pgp check not just md5. So I did and the Appache site turned up with these problems.
>
>Hope this helps straighten out the use of keys and signatures among the several websites involved. It seems there is some confusion at a minimum, here's hoping there is not an actual security problem.
>
>Frank Curran
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org