Tika 1.16 Download Checksum and GPG failure

[SwiftFast <sw...@gmx.com>]

I tried downloading Tika from https://tika.apache.org/download.html,
but the checksums are not correct. Best case scenario: A
misconfiguration.
Worst case: something malicious. The checksum/PPG data is shown below.

The jars I downloaded can be found here:
https://mega.nz/#!x6QmHbiQ!ADzzEYgiNZ-nJqBHyMT8GVGP34-MNtG3et3NDqlaJ4w

=== sha1 Actual:
e97e1ea51fdb93ad7e0edd4e2e28cb7bd36ee0ab  tika-app-1.16.jar
e1b1b108fac5e0fc7e3995cddb39d10edd85b829  tika-eval-1.16.jar
ae4cda8420a9a24f0807b8ae9bd5d3dd94b69d86  tika-server-1.16.jar
e06f73bb7c1a281e88d4ddb2f7026727a3bc106f  tika-1.16-src.zip

=== sha1 Expected (as written in https://tika.apache.org/download.html)
cd0e68e795c513f317cf70759129f16bbd04822a  tika-app-1.16.jar
71461f9746894811cfcd683d1f444e683a7ae89a  tika-eval-1.16.jar
70a9ad2cca397ad1309bd65b9150ae8f6fadb407  tika-server-1.16.jar
e6884af0209ace42bf0b9b59d72c3c5a0052055e  tika-1.16-src.zip

=== md5 actual:
64e410ecabaecf302389042ef1ff76cb  tika-1.16-src.zip
fb1eab62e243bec62e4e4d4958b155a2  tika-app-1.16.jar
bd4609f3769fd400bdb7dd7ea3af3d23  tika-eval-1.16.jar
ccc92bc8a42ed54b877ec3c23dddac2c  tika-server-1.16.jar

=== md5 Expected (as written in https://tika.apache.org/download.html)
33db4056ea44b34f95b7b7cb98c0ea06  tika-app-1.16.jar
c5472760c287f2c6d54f88b1f90279de  tika-eval-1.16.jar
6a549ce6ef6e186e019766059fd82fb2  tika-server-1.16.jar
4ec3bba071fcb1ee1e5b1311953c960e  tika-1.16-src.zip

=== GPG status:
gpg: assuming signed data in 'tika-1.16-src.zip'
gpg: Signature made Sat 08 Jul 2017 05:27:42 AM +03
gpg:                using RSA key E4032DC4EF0CF38A
gpg: BAD signature from "Tim Allison (ASF signing key) 
<ta...@apache.org>" [unknown]
gpg: assuming signed data in 'tika-app-1.16.jar'
gpg: Signature made Sat 08 Jul 2017 05:13:16 AM +03
gpg:                using RSA key E4032DC4EF0CF38A
gpg: BAD signature from "Tim Allison (ASF signing key) 
<ta...@apache.org>" [unknown]
gpg: assuming signed data in 'tika-eval-1.16.jar'
gpg: Signature made Sat 08 Jul 2017 05:20:17 AM +03
gpg:                using RSA key E4032DC4EF0CF38A
gpg: BAD signature from "Tim Allison (ASF signing key) 
<ta...@apache.org>" [unknown]
gpg: assuming signed data in 'tika-server-1.16.jar'
gpg: Signature made Sat 08 Jul 2017 05:17:53 AM +03
gpg:                using RSA key E4032DC4EF0CF38A
gpg: BAD signature from "Tim Allison (ASF signing key) 
<ta...@apache.org>" [unknown]

GPG certs were obtained from:
 https://people.apache.org/keys/group/tika.asc

tika.asc sha256:
b2f5924315c00cc32e6c1334037f00822f2b9af1696a504562f5547faf1cfa1c

Re: Tika 1.16 Download Checksum and GPG failure

[Nino Škopac <ni...@gmail.com>]

For what's it worth, I agree with you regarding URL design.

On Tue, Sep 19, 2017 at 1:37 PM, SwiftFast <sw...@gmx.com> wrote:

> My sincere apologies! The error was my fault.
>
> https://www.apache.org/dyn/closer.cgi/tika/tika-server-1.16.jar is
> actually an HTML page!
>
> The link ends with .jar, and I fetched this with wget presuming it was
> the jar, but it is an HTML page.  (This is bad url design in my humble
> opinion).
>

attachments for: Tika 1.16 Download Checksum and GPG failure

[SwiftFast <sw...@gmx.com>]

This is an attempt to attach the jars. I am not sure the mailing list
allows this. If not, this is a fallback link. (same as link in previous
mail).
https://mega.nz/#!x6QmHbiQ!ADzzEYgiNZ-nJqBHyMT8GVGP34-MNtG3et3NDqlaJ4w

Re: Tika 1.16 Download Checksum and GPG failure

[SwiftFast <sw...@gmx.com>]

My sincere apologies! The error was my fault.

https://www.apache.org/dyn/closer.cgi/tika/tika-server-1.16.jar is
actually an HTML page!

The link ends with .jar, and I fetched this with wget presuming it was
the jar, but it is an HTML page.  (This is bad url design in my humble
opinion).