Just a follow up to say that I had completely overlooked a sentence in the 'Verify' section (at https://poi.apache.org/download.html). "Make sure you get these files from the main distribution directory, rather than from a mirror." is, in hindsight, obviously important.
In any case, PJ, ensuring that I'm using all files from the main distribution directory returns: $ gpg --verify poi-bin-5.2.0-20220106.tgz.asc poi-bin-5.2.0-20220106.tgz gpg: Signature made Thu Jan 6 08:28:07 2022 EST gpg: using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 gpg: Good signature from "PJ Fanning (http://www.apache.org/) < fannin...@apache.org>" [unknown] gpg: aka "PJ Fanning <fannin...@yahoo.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6BA4 DA8B 1C88 A494 28A2 9C3D 0C69 C1EF 4118 1E13 Thanks for helping me get further along! Best, Bridger On Wed, Feb 9, 2022 at 2:16 PM Bridger Dyson-Smith <bdysonsm...@gmail.com> wrote: > Hi - > > On Wed, Feb 9, 2022 at 1:33 PM PJ Fanning <fannin...@yahoo.com.invalid> > wrote: > >> Hi - those command don't match the documented ones in the 'Verify' >> section of https://poi.apache.org/download.html - could you try the >> documented approach? >> >> Based on that particular page: > $ gpg --import KEYS > gpg: key 38DAC8E212DAE9BE: "Glen Stampoultzis <gl...@apache.org>" not > changed > gpg: key F5C260164CEED75F: 2 duplicate signatures removed > gpg: key F5C260164CEED75F: 140 signatures not checked due to missing keys > gpg: key F5C260164CEED75F: 2 signatures reordered > gpg: key F5C260164CEED75F: "Nick Burch <n...@gagravarr.org>" not changed > gpg: key 8AAF88D6D84E41AE: 24 signatures not checked due to missing keys > gpg: key 8AAF88D6D84E41AE: "Nick Burch <n...@gagravarr.org>" not changed > gpg: key 5343461584B5A42E: 12 signatures not checked due to missing keys > gpg: key 5343461584B5A42E: "Rainer Klute <rainer.kl...@gmx.de>" not > changed > gpg: key 69340A02F5BB52CD: 63 signatures not checked due to missing keys > gpg: key 69340A02F5BB52CD: "Yegor Kozlov <ye...@apache.org>" not changed > gpg: key 317C6DF83C7705CF: "David Fisher <dave2w...@comcast.net>" not > changed > gpg: key 860BBEE6D1F99590: 4 signatures not checked due to missing keys > gpg: key 860BBEE6D1F99590: "Josh Micich (Software engineer) < > j...@gildedtree.com>" not changed > gpg: key 7CB1E26A97EDDE66: "tallison (apache_distro_keys) < > talli...@apache.org>" not changed > gpg: key 86F75E83E1EE085F: 10 signatures not checked due to missing keys > gpg: key 86F75E83E1EE085F: "Uwe Schindler (CODE SIGNING KEY) < > uschind...@apache.org>" not changed > gpg: Note: third-party key signatures using the SHA1 algorithm are rejected > gpg: (use option "--allow-weak-key-signatures" to override) > gpg: key A93E1C4B26062CE3: 2 bad signatures > gpg: key A93E1C4B26062CE3: "Andreas Beeker <kiwiwi...@apache.org>" not > changed > gpg: key F9B8FAC3B4812553: 26 signatures not checked due to missing keys > gpg: key F9B8FAC3B4812553: "David North <da...@dnorth.net>" not changed > gpg: key E196754527B9F635: "Dominik Stadler <cen...@apache.org>" not > changed > gpg: key E7EA2B535350373C: 3 signatures not checked due to missing keys > gpg: key E7EA2B535350373C: "David North <da...@dnorth.net>" not changed > gpg: key E6677AC68BABDD6C: 2 signatures not checked due to missing keys > gpg: key E6677AC68BABDD6C: "Javen O'Neal <javenon...@gmail.com>" not > changed > gpg: key 0C69C1EF41181E13: "PJ Fanning (http://www.apache.org/) < > fannin...@apache.org>" not changed > gpg: key 2D15E54A1556F3A4: 2 bad signatures > gpg: key 2D15E54A1556F3A4: "Greg Woolsey <gwool...@apache.org>" not > changed > gpg: Total number processed: 16 > gpg: unchanged: 16 > $ gpg --verify poi-bin-5.2.0-20220106.tgz.asc poi-bin-5.2.0-20220106.tgz > gpg: Signature made Thu Jan 6 08:28:07 2022 EST > gpg: using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 > gpg: BAD signature from "PJ Fanning (http://www.apache.org/) < > fannin...@apache.org>" [unknown] > > I'm on a FreeBSD system, but I don't think that should matter. The 'KEYS' > file was downloaded from the KEYS link in the > https://poi.apache.org/download.html page (under the Verify section). > I confess that I frequently do *not* verify prebuilt binaries from apache, > so maybe I'm doing something wrong, or I don't have something configured > properly on my system here. I'll do some additional reading > on that. > > There is no online chat for POI - where did you find that freenode URL, if >> it is in our docs, can you say where? I can then remove it. >> >> Sure, there's a link on https://poi.apache.org/help/index.html, under > the IRC section! > > Thanks for your help! > > >> >> >> >> On Wednesday 9 February 2022, 16:56:55 GMT+1, Bridger Dyson-Smith < >> bdysonsm...@gmail.com> wrote: >> >> >> >> >> >> Hi all - >> >> I just learned about this interesting little apache project and I'm >> excited >> to try it out, but I'm having some trouble validating the pre-built >> binaries (.tgz and .zip). I've tried both the `gpg` validation method and >> `shasum`, and nothing is matching; i.e. >> >> $ gpg --import KEYS >> gpg: key 38DAC8E212DAE9BE: public key "Glen Stampoultzis < >> gl...@apache.org>" >> imported >> gpg: key F5C260164CEED75F: 2 duplicate signatures removed >> gpg: key F5C260164CEED75F: 140 signatures not checked due to missing keys >> ...[snip]... >> gpg: key 2D15E54A1556F3A4: public key "Greg Woolsey <gwool...@apache.org >> >" >> imported >> gpg: Total number processed: 16 >> gpg: imported: 16 >> gpg: no ultimately trusted keys found >> $ gpg --verify poi-bin-5.2.0-20220106.tgz.asc poi-bin-5.2.0-20220106.tgz >> gpg: Signature made Thu Jan 6 08:28:07 2022 EST >> gpg: using RSA key 6BA4DA8B1C88A49428A29C3D0C69C1EF41181E13 >> gpg: BAD signature from "PJ Fanning (http://www.apache.org/) < >> fannin...@apache.org>" [unknown] >> >> $ shasum -a 256 poi-bin-5.2.0-20220106.tgz >> 23326714dfdeb57d6cdb1bed6d209cdb013b92792b72faada0b620fa190a74b4 >> poi-bin-5.2.0-20220106.tgz >> >> (and the reported SHA256 [1] from the downloads is: >> 62ddbb83f6388033454359aac4fdd37f2af8971738c0d465e7b322746053ac08 >> poi-bin-5.2.0-20220106.tgz) >> >> Any suggestions? I can certainly try to build from source, but wanted >> to check and see if this was a known issue with the prebuilt downloads >> (or if Maven is the preferred download source for JARs). >> >> Thanks for your time! >> Best, >> Bridger >> >> PS Is there an active IRC channel on liberachat? I tried to access >> freenode from the link on the Help index page [2] but the web client >> threw an unknown error. >> >> [1] >> https://downloads.apache.org/poi/release/bin/poi-bin-5.2.0-20220106.tgz.sha256 >> [2] https://webchat.freenode.net/?channels=#apache-poi >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@poi.apache.org >> For additional commands, e-mail: user-h...@poi.apache.org >> >>
