Problem verifying Geronimo 1.0 release

["Alex D. Baxter" <al...@ctsu.ox.ac.uk>]

I could not verify the checksums or PGP signatures after downloading the
following packages (using the mirror recommended to me by the script):

http://www.mirrorservice.org/sites/ftp.apache.org/geronimo/1.0/geronimo-jetty-j2ee-1.0.tar.gz
http://www.mirror.ac.uk/mirror/ftp.apache.org/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz

e.g. for geronimo-tomcat-j2ee-1.0.tar.gz the SHA1 checksum at:
http://www.apache.org/dist/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz.sha
is:
7a75e6f076d919f8175980fe7d38421ee87c9910
however the generated SHA1 checksum (sha1sum --version giving "shasum
(coreutils) 5.2.1") is:
903bbd480f432a82c35de38159c1a89221fd587c

the PGP signature from:
http://www.apache.org/dist/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz.asc
is:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBDva7e+4xOrf6bkrsRAkN4AJ91KzHQBkr3w2NqB+IpYPAq84m/zgCfYMFs
TLlG1Jdm0VYXt4QNLpNpFgc=
=m+BA
-----END PGP SIGNATURE-----

verifying:
$ gpg --verify  geronimo-tomcat-j2ee-1.0.tar.gz.asc
gpg: Signature made Thu 05 Jan 2006 23:42:22 GMT using DSA key ID FE9B92BB
gpg: Can't check signature: public key not found

the key ID FE9B92BB is not present in the keys file at:
http://cvs.apache.org/dist/geronimo/KEYS

and I could not find it on either of two keyservers I checked, so I am
unable to verify the signature.

I have downloaded the packages from several different mirrors and
checked them on two different client machines, with the same result.
-- 
Alex D. Baxter <ma...@ctsu.ox.ac.uk>
CTSU x3855 - external (+44) 01865 743855