I got something slightly different... I have a good signature when verifying the .asc file, but when I do an md5 or sha1 check on the zip file I get different results as to whats currently on the website:
Johns-MacBook-Pro-2:netbeans_sig_test john$ wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip --2018-03-07 23:48:01-- https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip Resolving dist.apache.org... 209.188.14.144 Connecting to dist.apache.org|209.188.14.144|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 167193685 (159M) [application/octet-stream] Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' incubating-netbeans-java-9.0-beta-bin.zip 100%[================================================================================================================>] 159.45M 2.61MB/s in 57s 2018-03-07 23:48:58 (2.80 MB/s) - 'incubating-netbeans-java-9.0-beta-bin.zip' saved [167193685/167193685] Johns-MacBook-Pro-2:netbeans_sig_test john$ wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc --2018-03-07 23:49:49-- https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc Resolving dist.apache.org... 209.188.14.144 Connecting to dist.apache.org|209.188.14.144|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 833 [text/plain] Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' incubating-netbeans-java-9.0-beta-bin.zip.asc 100%[================================================================================================================>] 833 --.-KB/s in 0s 2018-03-07 23:49:49 (18.9 MB/s) - 'incubating-netbeans-java-9.0-beta-bin.zip.asc' saved [833/833] Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc incubating-netbeans-java-9.0-beta-bin.zip gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT gpg: using RSA key 51B0E375B4941714A809F90E13E9F7AE3A4FD551 gpg: Good signature from "geert...@apache.org (Key for signing Apache NetBeans & co. releases.) <geert...@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 F7AE 3A4F D551 Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 incubating-netbeans-java-9.0-beta-bin.zip MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = 05d71d0e2a9360b3402c6068425773db Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum incubating-netbeans-java-9.0-beta-bin.zip 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b incubating-netbeans-java-9.0-beta-bin.zip Regards John On 7 March 2018 at 23:12, Geertjan Wielenga < geertjan.wiele...@googlemail.com> wrote: > Would be good if someone would verify this -- when I look at the VOTE > thread, the source signatures have been verified: > > https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24e7c1053 > 439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E > > However, quite possibly the convenience binary signature has been checked > -- since Apache releases source code and not binaries, which are optionally > included for convenience only. > > Gj > > On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> wrote: > >> Hi, >> >> Is this the right list for this question? >> >> I'm trying to verify the PGP ASC and KEY file but I get a bad signature >> message. >> >> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html >> >> In Terminal: >> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >> cubating-netbeans-java/incubating-9.0-beta/incubating- >> netbeans-java-9.0-beta-bin.zip.asc >> >> wget https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS >> >> pgp --import KEYS >> >> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc >> Downloads/incubating-netbeans-java-9.0-beta-bin.zip >> >> >> output: >> >> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >> gpg: using RSA key B4C1940FEA9364F1 >> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & >> co. releases.) <jlah...@apache.org>" [unknown] >> >> What did I forget to do? >> > >
