pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Bobick, CTO" <m.bob...@correlationconcepts.com>
Subject RE: BAD SIGNATUREs on pdfbox/fontbox downloads
Date Mon, 21 Jul 2014 16:37:13 GMT
Andreas,

I eventually noticed that the files were corrupt.  Switched to 1.8.5 and
downloads/all signatures/keys checked out.

Regards,

--mark bobick

-----Original Message-----
From: Andreas Lehmkuehler [mailto:andreas@lehmi.de] 
Sent: Sunday, July 20, 2014 1:37 PM
To: users@pdfbox.apache.org
Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads

Hi,

Am 09.07.2014 19:49, schrieb Mark Bobick, CTO:
> Maruan,
>
> If I'm sticking with PGP/GPG, then the only thing to do is import the 
> key from the MIT server and see what happens.
>
>   This is what happened:
>
> [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--. 1 
> developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
The downloaded jar file is corrupt, it is way to small. It's size has to be
4mb and not just 33kb. Please change the mirrow and/or check your method
downloading the file.

BR
Andreas Lehmkühler

> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
pdfbox-1.8.6.jar.asc
> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc 
> [sudo] password for developer3:
> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
> 1DFDBF44
> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) 
> <lehmi@apache.org>"
> [developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver 
> pgpkeys.mit.edu --recv-key 1DFDBF44
> gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu
> gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY) 
> <lehmi@apache.org>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
> 1DFDBF44
> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) 
> <lehmi@apache.org>"
> [developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44
> pub   1024D/1DFDBF44 2009-03-26
>        Key fingerprint = A602 970F E1BF 5C9C 8A94  91B9 7A3C 9FE2 1DFD
BF44
> uid                  Andreas Lehmkuehler (CODE SIGNING KEY)
> <lehmi@apache.org>
> sub   2048g/78CB2E94 2009-03-26
> [developer3@bf19650mdfl Downloads]$
>
> Have downloaded both jar and asc files several times with same result.
> Would prefer to resolve issue, but I'll run checksums as alternative, 
> and will advise if anything off.  Thanks for the follow-up.
>
> Regards,
>
> -mark bobick
>
> -----Original Message-----
> From: Maruan Sahyoun [mailto:sahyoun@fileaffairs.de]
> Sent: Wednesday, July 09, 2014 1:24 PM
> To: users@pdfbox.apache.org
> Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads
>
> Dear Mark,
>
> I did try the verification on OSX Maverick and Fedora 20  wo any 
> issues. Is it possible to use a different system to verify that you 
> still get the same error?
>
> BR
> Maruan Sahyoun
>
> Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO
> <m.bobick@correlationconcepts.com>:
>
>> Downloaded KEYS and PDFBOX and FONTBOX files from 
>> https://pdfbox.apache.org/downloads.html.
>>
>> OS: Linux Fedora 20 (Heisenbug)
>>
>>
>>
>> This is outcome from posted on same page "Verify" protocol.  Please 
>> advise my error or other, and recommended action.
>>
>>
>>
>> [developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl 
>> Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul  8
>> 11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--.
>> 1 developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
> pdfbox-1.8.6.jar.asc
>> [developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1
>> developer3 developer3 33596 Jul  8 11:14 fontbox-1.8.6.jar
>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:14
> fontbox-1.8.6.jar.asc
>> [developer3@bf19650mdfl Downloads]$ gpg --import KEYS
>> gpg: key A355A63E: public key "Jukka Zitting <jukka@apache.org>"
>> imported
>> gpg: key 8A26D9A6: public key "Jukka Zitting <jukka.zitting@gmail.com>"
>> imported
>> gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY) 
>> <lehmi@apache.org>" imported
>> gpg: Total number processed: 3
>> gpg:               imported: 3
>> gpg: no ultimately trusted keys found [developer3@bf19650mdfl 
>> Downloads]$ sudo gpg --verify pdfbox-1.8.6.jar.asc [sudo] password 
>> for developer3:
>> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) 
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$ sudo gpg --verify 
>> fontbox-1.8.6.jar.asc
>> gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY) 
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$
>>
>>
>>
>> Thanks & Regards,
>>
>>
>>
>> -mark bobick
>> <http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn
>>
>>
>>
>> CTO, Correlation Concepts
>>
>> <http://www.correlationconcepts.com/> www.correlationconcepts.com
>>
>> 2880 David Walker Dr. #407
>>
>> Eustis, Florida  32726
>>
>> 702.882.5664
>>
>>
>>
>> "We will find a way, or we will make one." - Hannibal
>>
>>
>>
>
>



Mime
View raw message