flink-1.6.1-bin-scala_2.11.tgz fails signture and hash verification

Hi,

I just downloaded flink-1.6.1-bin-scala_2.11.tgz from https://flink.apache.org/downloads.html and noticed that it fails signature verification with a 

gpg: BAD signature from "Till Rohrmann (stsffap) <[hidden email]>"

message. The sha512 hash doesn't match either.

I switched to 1.6.0, which verifies OK.

Best regards,

Gianluca

Hi Gianluca,

This is very strange, Till may be able to give an explanation, because it is the release manager of this version.

Thanks, vino.

Gianluca Ortelli <[hidden email]> 于2018年9月28日周五 下午4:02写道：

Hi,

I just downloaded flink-1.6.1-bin-scala_2.11.tgz from https://flink.apache.org/downloads.html and noticed that it fails signature verification with a 

gpg: BAD signature from "Till Rohrmann (stsffap) <[hidden email]>"

message. The sha512 hash doesn't match either.

I switched to 1.6.0, which verifies OK.

Best regards,

Gianluca

Hi Fabian,

the mirror is https://www.apache.org/dyn/closer.lua/flink/flink-1.6.1/flink-1.6.1-bin-scala_2.11.tgz

I just tried a download and the hash is still wrong: it should be

d0153bad859e3c2da7e73299837f95670279b3102a0982809f56eb61875908a10120e82bc2dca59972e912c0221cbbfd01f4cd1128a92dd37358e28fe1f76f2f

but instead it's

9b4ceb7ad59df27ea4c12d15845165dcf64675a26161d502d399234ae237f40f719ab6da4fac7ba210a20aa82364b5ac0377b06a1324e21516198b7a23b5d19c

Best regards,

Gianluca

On Mon, 1 Oct 2018 at 11:59, Fabian Hueske <[hidden email]> wrote:

Hi Gianluca,

I tried to validate the issue but hash and signature are OK for me.

Do you remember which mirror you used to download the binaries?

Best, Fabian

Am Sa., 29. Sep. 2018 um 17:24 Uhr schrieb vino yang <[hidden email]>:

Hi Gianluca,

This is very strange, Till may be able to give an explanation, because it is the release manager of this version.

Thanks, vino.

Gianluca Ortelli <[hidden email]> 于2018年9月28日周五 下午4:02写道：

Hi,

I just downloaded flink-1.6.1-bin-scala_2.11.tgz from https://flink.apache.org/downloads.html and noticed that it fails signature verification with a 

gpg: BAD signature from "Till Rohrmann (stsffap) <[hidden email]>"

message. The sha512 hash doesn't match either.

I switched to 1.6.0, which verifies OK.

Best regards,

Gianluca

Hi Gianluca,

I've downloaded flink-1.6.1-bin-scala_2.11.tgz from here [1] and verified that the shasum512 and the signature are both correct. 

The only way I could explain this is that either your downloaded artifacts or the mirror you got the binaries from got corrupted.

[1] https://dist.apache.org/repos/dist/release/flink/flink-1.6.1/

Cheers,

Till

On Mon, Oct 1, 2018 at 12:07 PM Gianluca Ortelli <[hidden email]> wrote:

Hi Fabian,

the mirror is https://www.apache.org/dyn/closer.lua/flink/flink-1.6.1/flink-1.6.1-bin-scala_2.11.tgz

I just tried a download and the hash is still wrong: it should be

d0153bad859e3c2da7e73299837f95670279b3102a0982809f56eb61875908a10120e82bc2dca59972e912c0221cbbfd01f4cd1128a92dd37358e28fe1f76f2f

but instead it's

9b4ceb7ad59df27ea4c12d15845165dcf64675a26161d502d399234ae237f40f719ab6da4fac7ba210a20aa82364b5ac0377b06a1324e21516198b7a23b5d19c

Best regards,

Gianluca

On Mon, 1 Oct 2018 at 11:59, Fabian Hueske <[hidden email]> wrote:

Hi Gianluca,

I tried to validate the issue but hash and signature are OK for me.

Do you remember which mirror you used to download the binaries?

Best, Fabian

Am Sa., 29. Sep. 2018 um 17:24 Uhr schrieb vino yang <[hidden email]>:

Hi Gianluca,

This is very strange, Till may be able to give an explanation, because it is the release manager of this version.

Thanks, vino.

Gianluca Ortelli <[hidden email]> 于2018年9月28日周五 下午4:02写道：

Hi,

I just downloaded flink-1.6.1-bin-scala_2.11.tgz from https://flink.apache.org/downloads.html and noticed that it fails signature verification with a 

gpg: BAD signature from "Till Rohrmann (stsffap) <[hidden email]>"

message. The sha512 hash doesn't match either.

I switched to 1.6.0, which verifies OK.

Best regards,

Gianluca

Hi Till,

I also believe that it's a problem with a single mirror. It was not a blocking problem for me; I just wanted you to be aware of it, in case you have some policy regarding the management of mirrors.

Best,

Gianluca

On Mon, 1 Oct 2018 at 14:27, Till Rohrmann <[hidden email]> wrote:

Hi Gianluca,

I've downloaded flink-1.6.1-bin-scala_2.11.tgz from here [1] and verified that the shasum512 and the signature are both correct. 

The only way I could explain this is that either your downloaded artifacts or the mirror you got the binaries from got corrupted.

[1] https://dist.apache.org/repos/dist/release/flink/flink-1.6.1/

Cheers,

Till

On Mon, Oct 1, 2018 at 12:07 PM Gianluca Ortelli <[hidden email]> wrote:

Hi Fabian,

the mirror is https://www.apache.org/dyn/closer.lua/flink/flink-1.6.1/flink-1.6.1-bin-scala_2.11.tgz

I just tried a download and the hash is still wrong: it should be

d0153bad859e3c2da7e73299837f95670279b3102a0982809f56eb61875908a10120e82bc2dca59972e912c0221cbbfd01f4cd1128a92dd37358e28fe1f76f2f

but instead it's

9b4ceb7ad59df27ea4c12d15845165dcf64675a26161d502d399234ae237f40f719ab6da4fac7ba210a20aa82364b5ac0377b06a1324e21516198b7a23b5d19c

Best regards,

Gianluca

On Mon, 1 Oct 2018 at 11:59, Fabian Hueske <[hidden email]> wrote:

Hi Gianluca,

I tried to validate the issue but hash and signature are OK for me.

Do you remember which mirror you used to download the binaries?

Best, Fabian

Am Sa., 29. Sep. 2018 um 17:24 Uhr schrieb vino yang <[hidden email]>:

Hi Gianluca,

This is very strange, Till may be able to give an explanation, because it is the release manager of this version.

Thanks, vino.

Gianluca Ortelli <[hidden email]> 于2018年9月28日周五 下午4:02写道：

Hi,

I just downloaded flink-1.6.1-bin-scala_2.11.tgz from https://flink.apache.org/downloads.html and noticed that it fails signature verification with a 

gpg: BAD signature from "Till Rohrmann (stsffap) <[hidden email]>"

message. The sha512 hash doesn't match either.

I switched to 1.6.0, which verifies OK.

Best regards,

Gianluca