ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wascally Wabbit <wascallywab...@earthling.net>
Subject Re: Can't verify integrity of Ant 1.6.2 downloads
Date Mon, 19 Jul 2004 11:44:34 GMT
Might be just me, but methinks this is a good candidate for
the FAQ particularly for folks learning to verify (mostly)
everything they download...


At 01:38 AM 7/18/2004, you wrote:
>Demyanovich, Craig - Apogent wrote:
>>[snip]
>>Below is the result of running a Windows version of md5sum [1] on the MD5
>>signature file for the Ant 1.6.2 Zip file.
>>$ md5sum -c apache-ant-1.6.2-bin.zip.md5
>>md5sum: apache-ant-1.6.2-bin.zip.md5: no properly formatted MD5 checksum
>>lines found
>
>The MD5 sum file produced for the release is not in the format used by 
>md5sum for the -c option. This is maybe something we can change. 
>Nevertheless you can manually verify the sum is correct
>
>D:\download>md5sum apache-ant-1.6.2-bin.zip
>43237da0a3cf95456220a399da885743 *apache-ant-1.6.2-bin.zip
>
>D:\download>cat apache-ant-1.6.2-bin.zip.md5
>43237da0a3cf95456220a399da885743
>
>So even though it is not usable with the -c option, it does look ok.



>>GnuPG on Mac OS X
>>=================
>>redstar:~/downloads admin$ gpg --verify apache-ant-1.6.2-bin.tar.gz.asc
>>gpg: Signature made Fri Jul 16 03:59:58 2004 EDT using DSA key ID 265B4C63
>>gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
>><antoine@apache.org>"
>>gpg:                 aka "Antoine Levy-Lambert (Apache Ant Committer)
>><antoine@antbuild.com>"
>>gpg: WARNING: This key is not certified with a trusted signature!
>>gpg:          There is no indication that the signature belongs to the
>>owner.
>>Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63
>>redstar:~/downloads admin$
>>Since this is the first time that I've used gnupg, I'm not sure of the
>>results.  The warning, then, indicates to me a failure.
>
>The warning is not a failure. It states that the file is correctly signed 
>but you don't know that the signature used to sign the file is really that 
>belonging to Antoine. It is up to you to decide what level of trust you 
>are going to give to any key. If you had met with Antoine, checked out his 
>passport and his key, you might be inclined to trust that key. 
>Alternatively you might trust his key if it had been verified by someone 
>else you have chosen to trust.
>
>If you choose to accept the key from the KEYS file, you are implying you 
>trust that you actually communicated with the Apache site and the contents 
>of the Apache site have not been modified by a third party, etc. In 
>security you generally start out assuming the worst and go from there. 
>GnuPG reflects that philosophy.
>
>Conor

The Wabbit 



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message