Eclipse broken GPG signature (tampered downloads?) #3257
Description
The Eclipse download page at:
https://download.eclipse.org/eclipse/downloads/drops4/R-4.36-202505281830/
includes a file of SHA512 checksums and GPG signature for this file. The GPG signature is broken. Attempting to verify it using the steps at:
https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads
Results in a "BAD signature" error.
Steps to reproduce:
$ wget 'https://download.eclipse.org/eclipse/downloads/drops4/R-4.36-202505281830/checksum/eclipse-4.36-SUMSSHA512'
$ wget 'https://download.eclipse.org/eclipse/downloads/drops4/R-4.36-202505281830/checksum/eclipse-4.36-SUMSSHA512.asc'
$ sha256sum eclipse-*
06a9e396dcabfb1b6bcebeb0ddf733028bff86a27589c49f5368464cb4046958 eclipse-4.36-SUMSSHA512
7f9d46bac651fa912e2420889c73998b278c0cdbb4d8931a0236f7c82c4917a8 eclipse-4.36-SUMSSHA512.asc
$ gpg --verify eclipse-4.36-SUMSSHA512.asc eclipse-4.36-SUMSSHA512
gpg: Signature made Thu 29 May 2025 00:19:07 BST
gpg: using RSA key 9E3044071B758EBCB7E45673700E4F39BC05364B
gpg: Can't check signature: No public key
$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 9E3044071B758EBCB7E45673700E4F39BC05364B
gpg: key B6D3AB9BCC641282: public key "Eclipse Platform Project <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify eclipse-4.36-SUMSSHA512.asc eclipse-4.36-SUMSSHA512
gpg: Signature made Thu 29 May 2025 00:19:07 BST
gpg: using RSA key 9E3044071B758EBCB7E45673700E4F39BC05364B
gpg: BAD signature from "Eclipse Platform Project <[email protected]>" [unknown]
This problem also affects the download page for Eclipse 4.35.