Hi Leo, I didn't import the keys, as I had previously done this step...
But I'm looking at a different file then you: https://dist.apache.org/repos/dist/dev/incubator/netbeans/ incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0- beta-bin.zip(you) https://dist.apache.org/repos/dist/dev/incubator/netbeans/ incubating-netbeans-java/incubating-9.0-beta-rc3/ incubating-netbeans-java-9.0-beta-bin.zip(me) @Geertjan, the vote thread you referenced earlier, we voted on the link I used - and got a good signature, so I think that's okay. But the website points to a different URL (The one Leo checked). I suspect that the website is using the wrong URL, but before I jump to that conclusion, just curious after the successful vote would you have moved the artefact to the location on the website? Regards John On 8 March 2018 at 01:50, Leo Donahue <donahu...@gmail.com> wrote: > Hi John, > > I noticed that you didn't issue: gpg --import KEYS > > I tried again, using wget to download the binary zip file, same result. I > have also tried different mirrors. I guess I will just build from source, > I was just being lazy. > > (The --list-keys command illustrates I don't already have the KEYS file > imported) > > leo@vmw01:~$ *gpg --list-keys* > leo@vmw01:~$ *wget > https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS > <https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS>* > --2018-03-07 18:40:53-- https://dist.apache.org/repos/ > dist/release/incubator/netbeans/KEYS > Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 7594 (7.4K) [text/plain] > Saving to: ‘KEYS’ > > KEYS 100%[========================= > ==============================================>] 7.42K --.-KB/s in > 0s > > 2018-03-07 18:40:54 (42.0 MB/s) - ‘KEYS’ saved [7594/7594] > > leo@vmw01:~$ *wget > https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc > <https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip.asc>* > --2018-03-07 18:41:11-- https://dist.apache.org/repos/ > dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/ > incubating-netbeans-java-9.0-beta-bin.zip.asc > Resolving dist.apache.org (dist.apache.org)... 209.188.14.144 > Connecting to dist.apache.org (dist.apache.org)|209.188.14.144|:443... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 819 [text/plain] > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ > > incubating-netbeans-java-9.0-beta-bin 100%[========================= > ==============================================>] 819 --.-KB/s in > 0s > > 2018-03-07 18:41:11 (16.4 MB/s) - > ‘incubating-netbeans-java-9.0-beta-bin.zip.asc’ > saved [819/819] > > leo@vmw01:~$ *wget > http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip > <http://apache.cs.utah.edu/incubator/netbeans/incubating-netbeans-java/incubating-9.0-beta/incubating-netbeans-java-9.0-beta-bin.zip>* > --2018-03-07 18:41:41-- http://apache.cs.utah.edu/ > incubator/netbeans/incubating-netbeans-java/incubating-9.0- > beta/incubating-netbeans-java-9.0-beta-bin.zip > Resolving apache.cs.utah.edu (apache.cs.utah.edu)... 155.98.64.87 > Connecting to apache.cs.utah.edu (apache.cs.utah.edu)|155.98.64.87|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 167193685 (159M) [application/zip] > Saving to: ‘incubating-netbeans-java-9.0-beta-bin.zip’ > > incubating-netbeans-java-9.0-beta-bin 100%[========================= > ==============================================>] 159.45M 8.14MB/s in > 31s > > 2018-03-07 18:42:12 (5.22 MB/s) - ‘incubating-netbeans-java-9.0-beta-bin.zip’ > saved [167193685/167193685] > > leo@vmw01:~$ *gpg --import KEYS* > gpg: key B4C1940FEA9364F1: public key "Jan Lahoda (Key for signing Apache > NetBeans & co. releases.) <jlah...@apache.org>" imported > gpg: key 13E9F7AE3A4FD551: public key "geert...@apache.org (Key for > signing Apache NetBeans & co. releases.) <geert...@apache.org>" imported > gpg: Total number processed: 2 > gpg: imported: 2 > leo@vmw01:~$ *gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc > incubating-netbeans-java-9.0-beta-bin.zip* > gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST > gpg: using RSA key B4C1940FEA9364F1 > gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & co. > releases.) <jlah...@apache.org>" [unknown] > leo@vmw01:~$ > > > On Wed, Mar 7, 2018 at 5:00 PM, John McDonnell <mcdonnell.j...@gmail.com> > wrote: > >> I got something slightly different... >> >> I have a good signature when verifying the .asc file, but when I do an >> md5 or sha1 check on the zip file I get different results as to whats >> currently on the website: >> >> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating- >> netbeans-java-9.0-beta-bin.zip >> --2018-03-07 23:48:01-- https://dist.apache.org/repos/ >> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip >> Resolving dist.apache.org... 209.188.14.144 >> Connecting to dist.apache.org|209.188.14.144|:443... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 167193685 (159M) [application/octet-stream] >> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip' >> >> incubating-netbeans-java-9.0-beta-bin.zip >> 100%[======================================================= >> =========================================================>] 159.45M >> 2.61MB/s in 57s >> >> 2018-03-07 23:48:58 (2.80 MB/s) - 'incubating-netbeans-java-9.0-beta-bin.zip' >> saved [167193685/167193685] >> >> Johns-MacBook-Pro-2:netbeans_sig_test john$ wget >> https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >> cubating-netbeans-java/incubating-9.0-beta-rc3/incubating- >> netbeans-java-9.0-beta-bin.zip.asc >> --2018-03-07 23:49:49-- https://dist.apache.org/repos/ >> dist/dev/incubator/netbeans/incubating-netbeans-java/incubat >> ing-9.0-beta-rc3/incubating-netbeans-java-9.0-beta-bin.zip.asc >> Resolving dist.apache.org... 209.188.14.144 >> Connecting to dist.apache.org|209.188.14.144|:443... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 833 [text/plain] >> Saving to: 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >> >> incubating-netbeans-java-9.0-beta-bin.zip.asc >> 100%[======================================================= >> =========================================================>] 833 >> --.-KB/s in 0s >> >> 2018-03-07 23:49:49 (18.9 MB/s) - >> 'incubating-netbeans-java-9.0-beta-bin.zip.asc' >> saved [833/833] >> >> Johns-MacBook-Pro-2:netbeans_sig_test john$ gpg --verify >> incubating-netbeans-java-9.0-beta-bin.zip.asc >> incubating-netbeans-java-9.0-beta-bin.zip >> gpg: Signature made Sun 4 Feb 13:57:10 2018 GMT >> gpg: using RSA key 51B0E375B4941714A809F90E13E9F7 >> AE3A4FD551 >> gpg: Good signature from "geert...@apache.org (Key for signing Apache >> NetBeans & co. releases.) <geert...@apache.org>" [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 51B0 E375 B494 1714 A809 F90E 13E9 F7AE 3A4F >> D551 >> >> Johns-MacBook-Pro-2:netbeans_sig_test john$ md5 >> incubating-netbeans-java-9.0-beta-bin.zip >> MD5 (incubating-netbeans-java-9.0-beta-bin.zip) = >> 05d71d0e2a9360b3402c6068425773db >> Johns-MacBook-Pro-2:netbeans_sig_test john$ shasum >> incubating-netbeans-java-9.0-beta-bin.zip >> 0e9dbf7f70ceacf5b86b8e0ec1ea80b26d93293b incubating-netbeans-java-9.0-b >> eta-bin.zip >> >> Regards >> >> John >> >> On 7 March 2018 at 23:12, Geertjan Wielenga < >> geertjan.wiele...@googlemail.com> wrote: >> >>> Would be good if someone would verify this -- when I look at the VOTE >>> thread, the source signatures have been verified: >>> >>> https://lists.apache.org/thread.html/859cbc7d2f4631983e48e24 >>> e7c1053439cbebfee133cc9b3745046b4@%3Cdev.netbeans.apache.org%3E >>> >>> However, quite possibly the convenience binary signature has been >>> checked -- since Apache releases source code and not binaries, which are >>> optionally included for convenience only. >>> >>> Gj >>> >>> On Wed, Mar 7, 2018 at 11:48 PM, Leo Donahue <donahu...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> >>>> Is this the right list for this question? >>>> >>>> I'm trying to verify the PGP ASC and KEY file but I get a bad signature >>>> message. >>>> >>>> I'm here: https://netbeans.apache.org/download/nb90/nb90-beta.html >>>> >>>> In Terminal: >>>> wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/in >>>> cubating-netbeans-java/incubating-9.0-beta/incubating-netbea >>>> ns-java-9.0-beta-bin.zip.asc >>>> >>>> wget https://dist.apache.org/repos/dist/release/incubator/netbeans/KEYS >>>> >>>> pgp --import KEYS >>>> >>>> gpg --verify incubating-netbeans-java-9.0-beta-bin.zip.asc >>>> Downloads/incubating-netbeans-java-9.0-beta-bin.zip >>>> >>>> >>>> output: >>>> >>>> gpg: Signature made Wed 10 Jan 2018 03:41:31 PM MST >>>> gpg: using RSA key B4C1940FEA9364F1 >>>> gpg: BAD signature from "Jan Lahoda (Key for signing Apache NetBeans & >>>> co. releases.) <jlah...@apache.org>" [unknown] >>>> >>>> What did I forget to do? >>>> >>> >>> >> >
