Description
The signatures for the 2.3.28 release tars don't seem to match the files.
I downloaded apache-freemarker-2.3.28-bin.tar.gz from https://freemarker.apache.org/freemarkerdownload.html and also the .sha512 and .asc files.
I run "sha512sum apache-freemarker-2.3.28-bin.tar.gz" and got:
a77becbfe29785eca4ce5b51786ab783ef686f4159546fa88ce13b0592befe43db98c8a6d4e8e113f35a0b6515ca85e4ea9962df57b76a3ca172989557d9b20c apache-freemarker-2.3.28-bin.tar.gz
which is different from apache-freemarker-2.3.28-bin.tar.gz.sha512:
534cb51b781e83b2109f43a9186a030a1c3d6c5c13117bd5a6168b10c9a3cbd010e6ce806fdc6fce66e4b8a59d8a752f0552758ec769795e2bd3b66c09c0442a
I then tried the .asc and it also failed:
gpg --verify apache-freemarker-2.3.28-bin.tar.gz.asc
gpg: assuming signed data in 'apache-freemarker-2.3.28-bin.tar.gz'
gpg: Signature made Sat 31 Μαρ 2018 12:11:30 am EEST
gpg: using RSA key 1939A2520BAB1D90
gpg: BAD signature from "Daniel Dekany <ddekany@apache.org>" [unknown]
Similarly for the src tar.