Major Description
The releases of Log4j 2 from org.apache.logging.log4j do not match the signed releases from https://archive.apache.org/dist/logging/log4j/. Please check build process per Matt Sicker.
At https://search.maven.org/search?q=a:log4j-core
org.apache.logging.log4j --> 2.16.0 -> download jar
$ sha256sum log4j-core-2.16.0.jar
5d241620b10e3f1475320bc9552cf7bcfa27eeb9b1b6a891449e76db4b4a02a8 log4j-core-2.16.0.jar
From https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip
$ sha256sum apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869 apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
$ gpg --verify apache-log4j-2.16.0-bin.zip.asc
gpg: assuming signed data in 'apache-log4j-2.16.0-bin.zip'
gpg: Signature made Mon 13 Dec 2021 12:40:11 AM EST
gpg: using RSA key 9D0A56AAA0D60E0C0C7DCCC0B4C70893B62BABE8
gpg: Good signature from "Matt Sicker (Apache Software Foundation) <mattsicker@apache.org
>" [unknown]
gpg: aka "Matthew Sicker (Signing Key) <mattsicker@apache.org>" [unknown]
diff also shows that the MANIFEST.MF Bnd-LastModified field is different in log4j-core-2.16.0.jar between the two sources.
diff -r 2.16.0-bin/META-INF/MANIFEST.MF log4j-core-2.16.0/META-INF/MANIFEST.MF
5c5
< Bnd-LastModified: 1639373735804
—
> Bnd-LastModified: 1639374077682
This difference in META-INF/MANIFEST.MF is also in org.apache.logging.log4j:log4j-core: 2.15.0