pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Lehmkuehler <andr...@lehmi.de>
Subject Re: BAD SIGNATUREs on pdfbox/fontbox downloads
Date Sun, 20 Jul 2014 17:37:16 GMT
Hi,

Am 09.07.2014 19:49, schrieb Mark Bobick, CTO:
> Maruan,
>
> If I'm sticking with PGP/GPG, then the only thing to do is import the key
> from the MIT server and see what happens.
>
>   This is what happened:
>
> [developer3@bf19650mdfl Downloads]$ ls pdfbox*
> -rw-r--r--. 1 developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
The downloaded jar file is corrupt, it is way to small. It's size has to be 4mb 
and not just 33kb. Please change the mirrow and/or check your method downloading 
the file.

BR
Andreas Lehmkühler

> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13 pdfbox-1.8.6.jar.asc
> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
> [sudo] password for developer3:
> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
> 1DFDBF44
> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
> <lehmi@apache.org>"
> [developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver pgpkeys.mit.edu
> --recv-key 1DFDBF44
> gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu
> gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY)
> <lehmi@apache.org>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
> 1DFDBF44
> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
> <lehmi@apache.org>"
> [developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44
> pub   1024D/1DFDBF44 2009-03-26
>        Key fingerprint = A602 970F E1BF 5C9C 8A94  91B9 7A3C 9FE2 1DFD BF44
> uid                  Andreas Lehmkuehler (CODE SIGNING KEY)
> <lehmi@apache.org>
> sub   2048g/78CB2E94 2009-03-26
> [developer3@bf19650mdfl Downloads]$
>
> Have downloaded both jar and asc files several times with same result.
> Would prefer to resolve issue, but I'll run checksums as alternative, and
> will advise if anything off.  Thanks for the follow-up.
>
> Regards,
>
> -mark bobick
>
> -----Original Message-----
> From: Maruan Sahyoun [mailto:sahyoun@fileaffairs.de]
> Sent: Wednesday, July 09, 2014 1:24 PM
> To: users@pdfbox.apache.org
> Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads
>
> Dear Mark,
>
> I did try the verification on OSX Maverick and Fedora 20  wo any issues. Is
> it possible to use a different system to verify that you still get the same
> error?
>
> BR
> Maruan Sahyoun
>
> Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO
> <m.bobick@correlationconcepts.com>:
>
>> Downloaded KEYS and PDFBOX and FONTBOX files from
>> https://pdfbox.apache.org/downloads.html.
>>
>> OS: Linux Fedora 20 (Heisenbug)
>>
>>
>>
>> This is outcome from posted on same page "Verify" protocol.  Please
>> advise my error or other, and recommended action.
>>
>>
>>
>> [developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl
>> Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul  8
>> 11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--.
>> 1 developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
> pdfbox-1.8.6.jar.asc
>> [developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1
>> developer3 developer3 33596 Jul  8 11:14 fontbox-1.8.6.jar
>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:14
> fontbox-1.8.6.jar.asc
>> [developer3@bf19650mdfl Downloads]$ gpg --import KEYS
>> gpg: key A355A63E: public key "Jukka Zitting <jukka@apache.org>"
>> imported
>> gpg: key 8A26D9A6: public key "Jukka Zitting <jukka.zitting@gmail.com>"
>> imported
>> gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>" imported
>> gpg: Total number processed: 3
>> gpg:               imported: 3
>> gpg: no ultimately trusted keys found
>> [developer3@bf19650mdfl Downloads]$ sudo gpg --verify
>> pdfbox-1.8.6.jar.asc [sudo] password for developer3:
>> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$ sudo gpg --verify
>> fontbox-1.8.6.jar.asc
>> gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$
>>
>>
>>
>> Thanks & Regards,
>>
>>
>>
>> -mark bobick
>> <http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn
>>
>>
>>
>> CTO, Correlation Concepts
>>
>> <http://www.correlationconcepts.com/> www.correlationconcepts.com
>>
>> 2880 David Walker Dr. #407
>>
>> Eustis, Florida  32726
>>
>> 702.882.5664
>>
>>
>>
>> "We will find a way, or we will make one." - Hannibal
>>
>>
>>
>
>


Mime
View raw message