pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Lehmkuehler <andr...@lehmi.de>
Subject Re: BAD SIGNATUREs on pdfbox/fontbox downloads
Date Tue, 22 Jul 2014 17:46:49 GMT
Hi,

Am 21.07.2014 18:37, schrieb Mark Bobick, CTO:
> Andreas,
>
> I eventually noticed that the files were corrupt.  Switched to 1.8.5 and
> downloads/all signatures/keys checked out.
Just to avoid misunderstandings, all released files of pdfbox 1.8.6 are o.k. 
Either the mirror you used provids corrupt files or something went wrong when 
downloading the files.

BR
Andreas Lehmkühler
> Regards,
>
> --mark bobick
>
> -----Original Message-----
> From: Andreas Lehmkuehler [mailto:andreas@lehmi.de]
> Sent: Sunday, July 20, 2014 1:37 PM
> To: users@pdfbox.apache.org
> Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads
>
> Hi,
>
> Am 09.07.2014 19:49, schrieb Mark Bobick, CTO:
>> Maruan,
>>
>> If I'm sticking with PGP/GPG, then the only thing to do is import the
>> key from the MIT server and see what happens.
>>
>>    This is what happened:
>>
>> [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--. 1
>> developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
> The downloaded jar file is corrupt, it is way to small. It's size has to be
> 4mb and not just 33kb. Please change the mirrow and/or check your method
> downloading the file.
>
> BR
> Andreas Lehmkühler
>
>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
> pdfbox-1.8.6.jar.asc
>> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
>> [sudo] password for developer3:
>> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$ sudo gpg --keyserver
>> pgpkeys.mit.edu --recv-key 1DFDBF44
>> gpg: requesting key 1DFDBF44 from hkp server pgpkeys.mit.edu
>> gpg: key 1DFDBF44: "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>" not changed
>> gpg: Total number processed: 1
>> gpg:              unchanged: 1
>> [developer3@bf19650mdfl Downloads]$ sudo gpg pdfbox-1.8.6.jar.asc
>> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
>> 1DFDBF44
>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>"
>> [developer3@bf19650mdfl Downloads]$ sudo gpg --fingerprint 1DFDBF44
>> pub   1024D/1DFDBF44 2009-03-26
>>         Key fingerprint = A602 970F E1BF 5C9C 8A94  91B9 7A3C 9FE2 1DFD
> BF44
>> uid                  Andreas Lehmkuehler (CODE SIGNING KEY)
>> <lehmi@apache.org>
>> sub   2048g/78CB2E94 2009-03-26
>> [developer3@bf19650mdfl Downloads]$
>>
>> Have downloaded both jar and asc files several times with same result.
>> Would prefer to resolve issue, but I'll run checksums as alternative,
>> and will advise if anything off.  Thanks for the follow-up.
>>
>> Regards,
>>
>> -mark bobick
>>
>> -----Original Message-----
>> From: Maruan Sahyoun [mailto:sahyoun@fileaffairs.de]
>> Sent: Wednesday, July 09, 2014 1:24 PM
>> To: users@pdfbox.apache.org
>> Subject: Re: BAD SIGNATUREs on pdfbox/fontbox downloads
>>
>> Dear Mark,
>>
>> I did try the verification on OSX Maverick and Fedora 20  wo any
>> issues. Is it possible to use a different system to verify that you
>> still get the same error?
>>
>> BR
>> Maruan Sahyoun
>>
>> Am 08.07.2014 um 18:00 schrieb Mark Bobick, CTO
>> <m.bobick@correlationconcepts.com>:
>>
>>> Downloaded KEYS and PDFBOX and FONTBOX files from
>>> https://pdfbox.apache.org/downloads.html.
>>>
>>> OS: Linux Fedora 20 (Heisenbug)
>>>
>>>
>>>
>>> This is outcome from posted on same page "Verify" protocol.  Please
>>> advise my error or other, and recommended action.
>>>
>>>
>>>
>>> [developer3@bf19650mdfl ~]$ cd Downloads [developer3@bf19650mdfl
>>> Downloads]$ ls KEYS -rw-r--r--. 1 developer3 developer3 11822 Jul  8
>>> 11:15 KEYS [developer3@bf19650mdfl Downloads]$ ls pdfbox* -rw-r--r--.
>>> 1 developer3 developer3 33476 Jul  8 11:13 pdfbox-1.8.6.jar
>>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:13
>> pdfbox-1.8.6.jar.asc
>>> [developer3@bf19650mdfl Downloads]$ ls fontbox* -rw-r--r--. 1
>>> developer3 developer3 33596 Jul  8 11:14 fontbox-1.8.6.jar
>>> -rw-r--r--. 1 developer3 developer3   181 Jul  8 11:14
>> fontbox-1.8.6.jar.asc
>>> [developer3@bf19650mdfl Downloads]$ gpg --import KEYS
>>> gpg: key A355A63E: public key "Jukka Zitting <jukka@apache.org>"
>>> imported
>>> gpg: key 8A26D9A6: public key "Jukka Zitting <jukka.zitting@gmail.com>"
>>> imported
>>> gpg: key 1DFDBF44: public key "Andreas Lehmkuehler (CODE SIGNING KEY)
>>> <lehmi@apache.org>" imported
>>> gpg: Total number processed: 3
>>> gpg:               imported: 3
>>> gpg: no ultimately trusted keys found [developer3@bf19650mdfl
>>> Downloads]$ sudo gpg --verify pdfbox-1.8.6.jar.asc [sudo] password
>>> for developer3:
>>> gpg: Signature made Thu 19 Jun 2014 07:57:08 AM EDT using DSA key ID
>>> 1DFDBF44
>>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>>> <lehmi@apache.org>"
>>> [developer3@bf19650mdfl Downloads]$ sudo gpg --verify
>>> fontbox-1.8.6.jar.asc
>>> gpg: Signature made Thu 19 Jun 2014 07:54:19 AM EDT using DSA key ID
>>> 1DFDBF44
>>> gpg: BAD signature from "Andreas Lehmkuehler (CODE SIGNING KEY)
>>> <lehmi@apache.org>"
>>> [developer3@bf19650mdfl Downloads]$
>>>
>>>
>>>
>>> Thanks & Regards,
>>>
>>>
>>>
>>> -mark bobick
>>> <http://www.linkedin.com/pub/mark-bobick/2/306/816/> LinkedIn
>>>
>>>
>>>
>>> CTO, Correlation Concepts
>>>
>>> <http://www.correlationconcepts.com/> www.correlationconcepts.com
>>>
>>> 2880 David Walker Dr. #407
>>>
>>> Eustis, Florida  32726
>>>
>>> 702.882.5664
>>>
>>>
>>>
>>> "We will find a way, or we will make one." - Hannibal
>>>
>>>
>>>
>>
>>
>
>


Mime
View raw message