ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wascally Wabbit <>
Subject Re: Can't verify integrity of Ant 1.6.2 downloads
Date Mon, 19 Jul 2004 11:44:34 GMT
Might be just me, but methinks this is a good candidate for
the FAQ particularly for folks learning to verify (mostly)
everything they download...

At 01:38 AM 7/18/2004, you wrote:
>Demyanovich, Craig - Apogent wrote:
>>Below is the result of running a Windows version of md5sum [1] on the MD5
>>signature file for the Ant 1.6.2 Zip file.
>>$ md5sum -c
>>md5sum: no properly formatted MD5 checksum
>>lines found
>The MD5 sum file produced for the release is not in the format used by 
>md5sum for the -c option. This is maybe something we can change. 
>Nevertheless you can manually verify the sum is correct
>43237da0a3cf95456220a399da885743 *
>So even though it is not usable with the -c option, it does look ok.

>>GnuPG on Mac OS X
>>redstar:~/downloads admin$ gpg --verify apache-ant-1.6.2-bin.tar.gz.asc
>>gpg: Signature made Fri Jul 16 03:59:58 2004 EDT using DSA key ID 265B4C63
>>gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
>>gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer)
>>gpg: WARNING: This key is not certified with a trusted signature!
>>gpg:          There is no indication that the signature belongs to the
>>Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63
>>redstar:~/downloads admin$
>>Since this is the first time that I've used gnupg, I'm not sure of the
>>results.  The warning, then, indicates to me a failure.
>The warning is not a failure. It states that the file is correctly signed 
>but you don't know that the signature used to sign the file is really that 
>belonging to Antoine. It is up to you to decide what level of trust you 
>are going to give to any key. If you had met with Antoine, checked out his 
>passport and his key, you might be inclined to trust that key. 
>Alternatively you might trust his key if it had been verified by someone 
>else you have chosen to trust.
>If you choose to accept the key from the KEYS file, you are implying you 
>trust that you actually communicated with the Apache site and the contents 
>of the Apache site have not been modified by a third party, etc. In 
>security you generally start out assuming the worst and go from there. 
>GnuPG reflects that philosophy.

The Wabbit 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message