Re: Bad signature in 6.2.0?

Tue, 06 Sep 2016 06:09:13 -0700 

On 9/5/2016 11:02 PM, Malcolm Allison [CASS] wrote:
> Today I downloaded Solr 6.2.0 from apache.org along with the keys and MD5
>
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/KEYS
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.asc
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz
> ~# wget http://www-us.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.zip.md5
>
> I imported the keys and attempted to verify...
>
> ~# gpg --import KEYS
> ~# gpg --verify solr-6.2.0.zip.asc solr-6.2.0.tgz
>
> But got the following error...
>
> gpg: Signature made Sat 20 Aug 2016 21:42:56 NZST using DSA key ID 6E68DA61 
> gpg: BAD signature from "Michael McCandless (CODE SIGNING KEY)
>
> I have downloaded again from another machine with the same result. Is there a 
> problem with the signing of this package? I am hesitant to install it on our 
> servers in this state.

Does the md5sum check out?

Here's what I did, and found that the signature verifies:

root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/KEYS
root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz
root@sauron:~/asf# wget
https://archive.apache.org/dist/lucene/solr/6.2.0/solr-6.2.0.tgz.asc

root@sauron:~/asf# gpg --import KEYS
<snip>
root@sauron:~/asf# gpg --verify solr-6.2.0.tgz.asc
gpg: assuming signed data in `solr-6.2.0.tgz'
gpg: Signature made Sat 20 Aug 2016 03:42:55 AM MDT using DSA key ID
6E68DA61
gpg: Good signature from "Michael McCandless (CODE SIGNING KEY)
<mikemcc...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 2C72 EB13 9773 3A55 1DDB  60CC F119 941F 6E68 DA61

I was also able to verify the zip version.

root@sauron:~/asf# gpg --verify solr-6.2.0.zip.asc
gpg: assuming signed data in `solr-6.2.0.zip'
gpg: Signature made Sat 20 Aug 2016 03:42:56 AM MDT using DSA key ID
6E68DA61
gpg: Good signature from "Michael McCandless (CODE SIGNING KEY)
<mikemcc...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 2C72 EB13 9773 3A55 1DDB  60CC F119 941F 6E68 DA61

The first thing that comes to mind is that maybe you've got a broken
version of wget that is not downloading correctly.

Thanks,
Shawn

Reply via email to