You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bill Rutledge <Bi...@liquent.com> on 2012/01/20 21:39:37 UTC
Cannot Validate Signature for apache-tomcat-7.0.23-windows-i64.zip
For apache-tomcat-7.0.23-windows-i64.zip, I used Kleopatra to import the KEYS and check the validity of the signatures in apache-tomcat-7.0.23-windows-i64.zip.asc and got the following. Does this look like I've made some mistake in this process?
[cid:image001.png@01CCD788.1E255930]
Re: Cannot Validate Signature for apache-tomcat-7.0.23-windows-i64.zip
Posted by Pid <pi...@pidster.com>.
On 20/01/2012 20:39, Bill Rutledge wrote:
>
>
> For apache-tomcat-7.0.23-windows-i64.zip, I used Kleopatra to import the
> KEYS and check the validity of the signatures in
> apache-tomcat-7.0.23-windows-i64.zip.asc and got the following. Does
> this look like I’ve made some mistake in this process?
>
>
>
>
>
> cid:image001.png@01CCD788.1E255930
>
The list strips attachments and embedded images.
You'll need to post it online somewhere.
p
--
[key:62590808]
Re: Cannot Validate Signature for apache-tomcat-7.0.23-windows-i64.zip
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/01/2012 20:01, Bill Rutledge wrote:
> I signed and trusted Mark's certificate:
On what basis are you trusting that that public key really does belong
to someone called "Mark Thomas"? Personally, I do rather more checks
before I'd trust someone else's public key.
> [cid:image001.png@01CCDAA8.11318280]
That's a nice series of characters. The list strips images.
> I tried to verify it, but it came up bad:
>
> [cid:image002.png@01CCDAA8.11318280]
Can't see that image either.
Time to switch to a command line interface that you can copy and paste
stuff to/from.
The chances of a signature on a Tomcat release being bad is pretty
slim. The reasons for this are:
- - Most of the tomcat committers have met each other, verified keys and
identities and have signed each others keys
- - They have also done the same for many other folks at the ASF and are
reasonably well embedded in the ASF web of trust
- - Every Tomcat release artefact is signed by the release manager and
the signatures checked my multiple Tomcat committers
- - There is an automated process that checks every binary uploaded to
the ASF distribution area and it complains loudly if there is a
problem with the signatures (we got a nag this afternoon because I
moved some things around and missed a few files) [1]
It looks very much like your OpenPGP configuration is bad or you have
a corrupted download. Try obtaining the file from a different mirror
or direct from the ASF master copy.
I have also signed this message. If you can't verify that signature,
it is more likely to be a local issue.
Mark
[1] http://people.apache.org/~henkp/checker/sig.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPHxPyAAoJEBDAHFovYFnn/GUQAKuSm+VCV+SworFjEHRxv1mk
VyMdGEiOotxEOzdtU7iU/6yJFzgWacWRPd34kLMkzLbVjWtnllSSqZIuqSBJEEFR
g0KpC+ybYL26zikxFM3KdhEfCj9iwk8T8MXPM1y7ZqZITP+TPsV/qsRylacRTolV
Z5YQMUfxa+sdcWLKr/w3+eiRFvXuAEKOzmR6LrMlMN3DH2Vwv4z11QZoXHg0VhIr
gPwfVawN/2bkVQL/c4rgYy3ycClDYGFhHm9ixrNfgsXESuzJnaD295jiBCg+WEL+
9xA0cjDFmyzF1kHuHyxwaDxhL/gWBnImonkkjGXvKIuNiO/ADy4PAzhS7hDKNlV/
x6F+6v6KwV800b9nWJaHqBiyEhb4hbDAkUJZhmwWEvVfuMWPritw+B8uIXpHPefV
5XqoQzSR8otc6Z4/QIrk/1jcAu81WGPg5kGhWLc8+eB3fua+oMhBJN5fBdORyaL1
SnjWE1pOWprSE4yAxAVO1r31D9eexfMUH7ybOPJXUZLWxErQrOMucsahBKBiyc4w
4lybDhUooET5JOsx9MsHJZnQVK4GYnxHduPNA7PCw/aprIn+RnW3hwZ4w6iOp2/P
cu9idUfNXT1J5zP/agRfsf4KYzQJ1bVRLrXcK7prhETea1vycNT7FWQ1T4yezYvo
pBWE03DZ3S4obG4h62Ra
=oRUZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Cannot Validate Signature for
apache-tomcat-7.0.23-windows-i64.zip
Posted by Bill Rutledge <Bi...@liquent.com>.
Chris,
I appreciate your help.
I signed and trusted Mark's certificate:
[cid:image001.png@01CCDAA8.11318280]
I tried to verify it, but it came up bad:
[cid:image002.png@01CCDAA8.11318280]
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, January 20, 2012 4:08 PM
To: Tomcat Users List
Subject: Re: Cannot Validate Signature for apache-tomcat-7.0.23-windows-i64.zip
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
On 1/20/12 3:39 PM, Bill Rutledge wrote:
> For apache-tomcat-7.0.23-windows-i64.zip, I used Kleopatra to import
> the KEYS
Do you mean this file?
http://www.apache.org/dist/tomcat/tomcat-7/KEYS
> and check the validity of the signatures in
> apache-tomcat-7.0.23-windows-i64.zip.asc and got the following.
> Does this look like I’ve made some mistake in this process?
WFM:
$ gpg --verify apache-tomcat-7.0.23-windows-i64.zip.asc
apache-tomcat-7.0.23-windows-i64.zip
gpg: Signature made Sun Nov 20 15:36:27 2011 EST using RSA key ID 2F6059E7
gpg: Good signature from "Mark E D Thomas <ma...@apache.org>>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60
59E7
So, if you trust the key with the above fingerprint, you should be fine.
Don't forget that you'll need to sign Mark's key if you want to actually trust it. Then the warning you see above will go away.
(I don't trust Mark's key, yet, because he hasn't actually participated in a key signing event that I've attended. No offense, Mark.)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8Z17oACgkQ9CaO5/Lv0PAo9wCfcn/ToHHqZS5ecn/zKeFF6MRj
Mz0AnRfah7kilUPvTXLOJR3wWA4eMuv9
=Hcsn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
Re: Cannot Validate Signature for apache-tomcat-7.0.23-windows-i64.zip
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bill,
On 1/20/12 3:39 PM, Bill Rutledge wrote:
> For apache-tomcat-7.0.23-windows-i64.zip, I used Kleopatra to
> import the KEYS
Do you mean this file?
http://www.apache.org/dist/tomcat/tomcat-7/KEYS
> and check the validity of the signatures in
> apache-tomcat-7.0.23-windows-i64.zip.asc and got the following.
> Does this look like I’ve made some mistake in this process?
WFM:
$ gpg --verify apache-tomcat-7.0.23-windows-i64.zip.asc
apache-tomcat-7.0.23-windows-i64.zip
gpg: Signature made Sun Nov 20 15:36:27 2011 EST using RSA key ID 2F6059E7
gpg: Good signature from "Mark E D Thomas <ma...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60
59E7
So, if you trust the key with the above fingerprint, you should be fine.
Don't forget that you'll need to sign Mark's key if you want to
actually trust it. Then the warning you see above will go away.
(I don't trust Mark's key, yet, because he hasn't actually
participated in a key signing event that I've attended. No offense, Mark.)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8Z17oACgkQ9CaO5/Lv0PAo9wCfcn/ToHHqZS5ecn/zKeFF6MRj
Mz0AnRfah7kilUPvTXLOJR3wWA4eMuv9
=Hcsn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org