james-server-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Charles <e...@apache.org>
Subject Re: Problem with GPG verifiction of Release james-binary-2.3.2.tar.gz
Date Thu, 28 Jun 2012 08:33:13 GMT
Hi Dean,

I tried to check and felt also in the issue, with following comment:
- the file name is apache-james-2.3.2.tar.gz (not james-binary-2.3.2.tar.gz)
- was not able to connect to mit.edu from my current location, so 
couldn't test with the key download from mit.

Maybe Robert can have a look an update the KEY file.

Thx, Eric


On 06/28/2012 04:48 AM, Dean Ashby wrote:
> Hi,
>
> I've downloaded the following files from the main Apache FTP server:
>
> http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz
> http://www.apache.org/dist/james/server/james-binary-2.3.2.tar.gz.asc
> http://www.apache.org/dist/james/KEYS
>
> And tried verifying the signature for the download using:
>
> gpg --import KEYS
> gpg --verify apache-james-2.3.2.tar.gz.asc
> gpg: Signature made Tue 11 Aug 2009 08:35:01 NZST using RSA key ID A6EE6908
> gpg: Can't check signature: public key not found
>
> This doesn't look good!
>
> Looking through the KEYS file there doesn't appear to be a key for A6EE6908
>
> Fetching the key from pgpkeys.mit.edu produces the following:
>
> gpg --keyserver pgpkeys.mit.edu --recv-key A6EE6908
> gpg: requesting key A6EE6908 from hkp server pgpkeys.mit.edu
> gpg: key A6EE6908: public key "Robert Burrell Donkin (CODE SIGNING KEY)
> <rdonkin@apache.org>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: imported: 1 (RSA: 1)
>
>
> And the fingerprint looks like this:
>
> gpg --fingerprint A6EE6908
> pub 8192R/A6EE6908 2009-08-07
> Key fingerprint = 597C 729B 0237 1932 E77C B9D5 EDB8 C082 A6EE 6908
> uid Robert Burrell Donkin (CODE SIGNING KEY) <rdonkin@apache.org>
> sub 8192R/B800EFC1 2009-08-07
>
> Robert Burrell Donkin does show up in the KEYS file but with a different
> key (B1313DE2).
>
> Is there something dodgy going on here or is there a problem with the
> key used to sign the download? It looks like Robert Donkin may have two
> keys and has used the wrong one to sign the .tgz archive?
>
> Regards,
>
> Dean
>
>
>
>
> --
> ------------------------------------------------------------------------
> ALCHEMY
> Purpose Built Software
>
> *Dean Ashby *
> Senior Software Engineer
>
> 118 Wrights Road, PO Box 2386, Christchurch 8140, New Zealand
> Telephone +64 3 281 8166 ext 763
> Mobile +64 21 388 414
> Facsimile +64 3 338 0420
>
> Email d.ashby@alchemy.co.nz
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org

-- 
eric | http://about.echarles.net | @echarles

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org


Mime
View raw message