[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Orekit Users] new orekit version

Evan Ward <evan.ward@nrl.navy.mil> a écrit :

Hi Evan,

A colleague of mine is trying to verify the PGP signatures on the
recently released Orekit 7.1 sources. I've tried as well and it seems
that the signature file orekit-7.1-sources.jar.asc doesn't match
orekit-7.1-sources.zip. Am I comparing the right files or is there some
mistake with the signature?
Ooops. My bad.

The orekit-7.1-sources.jar.asc correspond to file orekit-7.1-sources.jar,
which is a maven artifact, not the source distribution. This file is
intended for IDE like eclipse, it is distributed here:

I removed this spurious signature file form the files section in the forge
and uploaded the correct signature file for orekit-7.1-sources.zip, which
is named orekit-7.1-sources.zip.asc.

Thanks for reporting the issue.

best regards,

Best Regards,

On 02/11/2016 09:25 AM, Bill Immerman wrote:
I probably just downloaded it with gpg from some default keyserver. When you try to verify with gpg and don’t have a matching key, it tells you what the key it’s looking for is, and I usually just request that key with —recv-key option.
The error I got this time was different … it said it was a bad key.


On Feb 11, 2016, at 7:43 AM, Evan Ward <evan.ward@nrl.navy.mil> wrote:

Where did you find the public key? I haven't actually tried to verify a
PGP signature before.


On 02/11/2016 02:25 AM, William Immerman wrote:
Hey Evan—

You might want to note to whoever maintains repository/website that the signature file for the new orekit version seems to be named wrong (orekit-7.1-sources.jar.asc instead of orekit-7.1-sources.zip.asc), and more importantly, it indicates a bad signature when I try to verify it. The MD5 checksum on the downloaded file matches the website’s published value.
Please let me know if the signature was wrong, or if the  
published source zip file is suspect?