You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Christopher Schultz <sc...@apache.org> on 2022/08/11 17:29:35 UTC

Re: Tomcat 8 releases - where to get correct key

Petr,

Please don't email committers directly. I'm replying to the Tomcat 
users' mailing list with my response, as it's useful information for 
everyone.

On 8/11/22 09:23, Petr Sumbera wrote:
> I have a problem where to get correct key for previous version.
> 
> Can you please advice where to get correct key for validation?
 >
 > Source
 > 
https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.81/src/apache-tomcat-8.5.81-src.tar.gz...
 >      downloading...
 >      validating signature... failed
 > gpg: Warning: using insecure memory!
 > gpg: Signature made Wed Jun  8 23:39:12 2022 CEST
 > gpg:                using RSA key 
3262A061C42FC4C7BBB5C25C1CF0293FA53CA458
 >
 > gpg: requesting key 1CF0293FA53CA458 from hkp server keys.gnupg.net
 > gpg: Can't check signature: No public key

You have a couple of options.

The first option would be to simply download the key from a public key 
server. Something like this:

$ gpg --receive-keys 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458

The second option is to fetch the KEYS file from any of the following 
places:

1. https://downloads.apache.org/tomcat/tomcat-8/KEYS
2. (During Voting) 
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.81/KEYS
    (After Release) 
https://dist.apache.org/repos/dist/release/tomcat/tomcat-8/v8.5.81/KEYS
3. https://github.com/apache/tomcat/tree/8.5.81/KEYS
4. apache-tomcat-8.5.81-src.tar.gz/KEYS
5. apache-tomcat-8.5.81-src.zip/KEYS

(Really, you shouldn't trust any KEYS file you get in a distribution 
because the distribution could have modified the KEYS file to include 
its own key ... and then changed all the signatures.)

If you visit the Tomcat downloads page[1] and read the "Release 
Integrity" section, you'll see a link to the KEYS file there. Note that 
KEYS files should always be downloaded directly from Apache, and not 
from anywhere else (okay, Github is probably fine).

Hope that helps,
-chris

[1] https://tomcat.apache.org/download-80.cgi

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org