Uploaded image for project: 'Log4cxx'
  1. Log4cxx
  2. LOGCXX-503

Checksums/Signatures don't match for log4cxx binaries

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.10.0
    • 0.10.0
    • None
    • None
    • Important

    Description

      If you download the tar or the zip and the associated checksum or signatures from:

      https://logging.apache.org/log4cxx/latest_stable/download.html

      You will end up with a mismatch.

       

      On that page, it states that "apache-log4cxx-0.10.0 is signed by Curt Arnold".  When you attempt to verify the signature, you get mismatches:

       

      gpg --verify apache-log4cxx-0.10.0.tar.gz.asc apache-log4cxx-0.10.0.tar.gz
      gpg: Signature made Sat 10 Nov 2018 08:25:02 PM UTC using RSA key ID B62BABE8
      gpg: Good signature from "Matt Sicker (Apache Software Foundation) <mattsicker@apache.org>" [unknown]
      gpg: aka "Matthew Sicker (Signing Key) <mattsicker@apache.org>" [unknown]
      gpg: WARNING: This key is not certified with a trusted signature!
      gpg: There is no indication that the signature belongs to the owner.
      Primary key fingerprint: 748F 15B2 CF9B A8F0 2415 5E6E D7C9 2B70 FA1C 814D
      Subkey fingerprint: 9D0A 56AA A0D6 0E0C 0C7D CCC0 B4C7 0893 B62B ABE8

       

       

      It looks like the signatures were updated on 10 November 2018 as well, but there was no corresponding change to the binaries.

      https://archive.apache.org/dist/logging/log4cxx/0.10.0/

       

       

       

      Attachments

        Activity

          People

            tschoening Thorsten Schöning
            machomatt Matt Youngblut
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: