ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Conor MacNeill <co...@cortexebusiness.com.au>
Subject Re: Can't verify integrity of Ant 1.6.2 downloads
Date Sun, 18 Jul 2004 05:38:52 GMT
Demyanovich, Craig - Apogent wrote:
> Greetings all,
> 
> I've been unable to verify the integrity of the Ant 1.6.2 downloads.  While
> I've never had a problem with any Ant downloads in the past, I'm trying to
> be more cautious about all downloads these days.  Below I describe my
> attempts to verify the Ant 1.6.2 downloads and the results that I obtained.
> 
> md5sum on Windows and Mac OS X
> ==============================
> Below is the result of running a Windows version of md5sum [1] on the MD5
> signature file for the Ant 1.6.2 Zip file.
> 
> $ md5sum -c apache-ant-1.6.2-bin.zip.md5
> md5sum: apache-ant-1.6.2-bin.zip.md5: no properly formatted MD5 checksum
> lines found

The MD5 sum file produced for the release is not in the format used by 
md5sum for the -c option. This is maybe something we can change. 
Nevertheless you can manually verify the sum is correct

D:\download>md5sum apache-ant-1.6.2-bin.zip
43237da0a3cf95456220a399da885743 *apache-ant-1.6.2-bin.zip

D:\download>cat apache-ant-1.6.2-bin.zip.md5
43237da0a3cf95456220a399da885743

So even though it is not usable with the -c option, it does look ok.

> GnuPG on Mac OS X
> =================
> redstar:~/downloads admin$ gpg --verify apache-ant-1.6.2-bin.tar.gz.asc
> gpg: Signature made Fri Jul 16 03:59:58 2004 EDT using DSA key ID 265B4C63
> gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
> <antoine@apache.org>"
> gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer)
> <antoine@antbuild.com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63
> redstar:~/downloads admin$
> 
> Since this is the first time that I've used gnupg, I'm not sure of the
> results.  The warning, then, indicates to me a failure.
> 

The warning is not a failure. It states that the file is correctly 
signed but you don't know that the signature used to sign the file is 
really that belonging to Antoine. It is up to you to decide what level 
of trust you are going to give to any key. If you had met with Antoine, 
checked out his passport and his key, you might be inclined to trust 
that key. Alternatively you might trust his key if it had been verified 
by someone else you have chosen to trust.

If you choose to accept the key from the KEYS file, you are implying you 
trust that you actually communicated with the Apache site and the 
contents of the Apache site have not been modified by a third party, 
etc. In security you generally start out assuming the worst and go from 
there. GnuPG reflects that philosophy.

Conor

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message