Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.10.0
-
None
-
None
-
Important
Description
If you download the tar or the zip and the associated checksum or signatures from:
https://logging.apache.org/log4cxx/latest_stable/download.html
You will end up with a mismatch.
On that page, it states that "apache-log4cxx-0.10.0 is signed by Curt Arnold". When you attempt to verify the signature, you get mismatches:
gpg --verify apache-log4cxx-0.10.0.tar.gz.asc apache-log4cxx-0.10.0.tar.gz
gpg: Signature made Sat 10 Nov 2018 08:25:02 PM UTC using RSA key ID B62BABE8
gpg: Good signature from "Matt Sicker (Apache Software Foundation) <mattsicker@apache.org>" [unknown]
gpg: aka "Matthew Sicker (Signing Key) <mattsicker@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 748F 15B2 CF9B A8F0 2415 5E6E D7C9 2B70 FA1C 814D
Subkey fingerprint: 9D0A 56AA A0D6 0E0C 0C7D CCC0 B4C7 0893 B62B ABE8
It looks like the signatures were updated on 10 November 2018 as well, but there was no corresponding change to the binaries.
https://archive.apache.org/dist/logging/log4cxx/0.10.0/