Hi - On Wed, Feb 9, 2022 at 1:33 PM PJ Fanning <fannin...@yahoo.com.invalid> wrote:
> Hi - those command don't match the documented ones in the 'Verify' section > of https://poi.apache.org/download.html - could you try the documented > approach? > > Based on that particular page: $ gpg --import KEYS gpg: key 38DAC8E212DAE9BE: "Glen Stampoultzis <gl...@apache.org>" not changed gpg: key F5C260164CEED75F: 2 duplicate signatures removed gpg: key F5C260164CEED75F: 140 signatures not checked due to missing keys gpg: key F5C260164CEED75F: 2 signatures reordered gpg: key F5C260164CEED75F: "Nick Burch <n...@gagravarr.org>" not changed gpg: key 8AAF88D6D84E41AE: 24 signatures not checked due to missing keys gpg: key 8AAF88D6D84E41AE: "Nick Burch <n...@gagravarr.org>" not changed gpg: key 5343461584B5A42E: 12 signatures not checked due to missing keys gpg: key 5343461584B5A42E: "Rainer Klute <rainer.kl...@gmx.de>" not changed gpg: key 69340A02F5BB52CD: 63 signatures not checked due to missing keys gpg: key 69340A02F5BB52CD: "Yegor Kozlov <ye...@apache.org>" not changed gpg: key 317C6DF83C7705CF: "David Fisher <dave2w...@comcast.net>" not changed gpg: key 860BBEE6D1F99590: 4 signatures not checked due to missing keys gpg: key 860BBEE6D1F99590: "Josh Micich (Software engineer) < j...@gildedtree.com>" not changed gpg: key 7CB1E26A97EDDE66: "tallison (apache_distro_keys) < talli...@apache.org>" not changed gpg: key 86F75E83E1EE085F: 10 signatures not checked due to missing keys gpg: key 86F75E83E1EE085F: "Uwe Schindler (CODE SIGNING KEY) < uschind...@apache.org>" not changed gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: (use option "--allow-weak-key-signatures" to override) gpg: key A93E1C4B26062CE3: 2 bad signatures gpg: key A93E1C4B26062CE3: "Andreas Beeker <kiwiwi...@apache.org>" not changed gpg: key F9B8FAC3B4812553: 26 signatures not checked due to missing keys gpg: key F9B8FAC3B4812553: "David North <da...@dnorth.net>" not changed gpg: key E196754527B9F635: "Dominik Stadler <cen...@apache.org>" not changed gpg: key E7EA2B535350373C: 3 signatures not checked due to missing keys gpg: key E7EA2B535350373C: "David North <da...@dnorth.net>" not changed gpg: key E6677AC68BABDD6C: 2 signatures not checked due to missing keys gpg: key E6677AC68BABDD6C: "Javen O'Neal <javenon...@gmail.com>" not changed gpg: key 0C69C1EF41181E13: "PJ Fanning (http://www.apache.org/) < fannin...@apache.org>" not changed gpg: key 2D15E54A1556F3A4: 2 bad signatures gpg: key 2D15E54A1556F3A4: "Greg Woolsey <gwool...@apache.org>" not changed gpg: Total number processed: 16 gpg: unchanged: 16 $ gpg --verify poi-bin-5.2.0-20220106.tgz.asc poi-bin-5.2.0-20220106.tgz gpg: Signature made Thu Jan 6 08:28:07 2022 EST gpg: using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 gpg: BAD signature from "PJ Fanning (http://www.apache.org/) < fannin...@apache.org>" [unknown] I'm on a FreeBSD system, but I don't think that should matter. The 'KEYS' file was downloaded from the KEYS link in the https://poi.apache.org/download.html page (under the Verify section). I confess that I frequently do *not* verify prebuilt binaries from apache, so maybe I'm doing something wrong, or I don't have something configured properly on my system here. I'll do some additional reading on that. There is no online chat for POI - where did you find that freenode URL, if > it is in our docs, can you say where? I can then remove it. > > Sure, there's a link on https://poi.apache.org/help/index.html, under the IRC section! Thanks for your help! > > > > On Wednesday 9 February 2022, 16:56:55 GMT+1, Bridger Dyson-Smith < > bdysonsm...@gmail.com> wrote: > > > > > > Hi all - > > I just learned about this interesting little apache project and I'm excited > to try it out, but I'm having some trouble validating the pre-built > binaries (.tgz and .zip). I've tried both the `gpg` validation method and > `shasum`, and nothing is matching; i.e. > > $ gpg --import KEYS > gpg: key 38DAC8E212DAE9BE: public key "Glen Stampoultzis <gl...@apache.org > >" > imported > gpg: key F5C260164CEED75F: 2 duplicate signatures removed > gpg: key F5C260164CEED75F: 140 signatures not checked due to missing keys > ...[snip]... > gpg: key 2D15E54A1556F3A4: public key "Greg Woolsey <gwool...@apache.org>" > imported > gpg: Total number processed: 16 > gpg: imported: 16 > gpg: no ultimately trusted keys found > $ gpg --verify poi-bin-5.2.0-20220106.tgz.asc poi-bin-5.2.0-20220106.tgz > gpg: Signature made Thu Jan 6 08:28:07 2022 EST > gpg: using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 > gpg: BAD signature from "PJ Fanning (http://www.apache.org/) < > fannin...@apache.org>" [unknown] > > $ shasum -a 256 poi-bin-5.2.0-20220106.tgz > 23326714dfdeb57d6cdb1bed6d209cdb013b92792b72faada0b620fa190a74b4 > poi-bin-5.2.0-20220106.tgz > > (and the reported SHA256 [1] from the downloads is: > 62ddbb83f6388033454359aac4fdd37f2af8971738c0d465e7b322746053ac08 > poi-bin-5.2.0-20220106.tgz) > > Any suggestions? I can certainly try to build from source, but wanted > to check and see if this was a known issue with the prebuilt downloads > (or if Maven is the preferred download source for JARs). > > Thanks for your time! > Best, > Bridger > > PS Is there an active IRC channel on liberachat? I tried to access > freenode from the link on the Help index page [2] but the web client > threw an unknown error. > > [1] > https://downloads.apache.org/poi/release/bin/poi-bin-5.2.0-20220106.tgz.sha256 > [2] https://webchat.freenode.net/?channels=#apache-poi > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@poi.apache.org > For additional commands, e-mail: user-h...@poi.apache.org > >
