Hi Konstantin, On 2016-04-20 01:25:25, Konstantin Kolinko wrote: > 2016-04-19 23:00 GMT+03:00 Martijn Bos <mart...@maboc.nl>: > > Hi all, > > > > (I post in this list since I downloaded from tomcat.apache.org. If there is > > a more appropriate list, off course I will try overthere) > > > > 1 - Downloaded the taglibs from > > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 > > The "verify" word on above page links to a detailed instruction, > https://www.apache.org/info/verification.html > > > 2 - Downloaded the PGP signatures for the files > > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the > > files) > > 3 - Imported the keys into gpg: > > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS > > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes > > <jboy...@apache.org>" geïmporteerd > > gpg: Totaal aantal verwerkt: 1 > > gpg: geïmporteerd: 1 (RSA: 1) > > martijn@radijs:~/external_documents/Downloads$ > > > > 4 - checked the signature of the downloaded files: > > martijn@radijs:~/external_documents/Downloads$ gpg > > taglibs-standard-impl-1.2.5.jar.asc > > The above verification command is wrong. You must specify 2 file > arguments to gpg --verify. See the verification.html page that I > mentioned above. >
Thank you. I didn't read the page in the first place, because I thought I know
it all :-(
(Once again I'm proven wrong)
However (call me stuborn), as far as I understand, in this case my way is not
wrong per se.
The verify is with a detached signature. gpg can deduct (and find) the name of
the file, which was signed, from the name of the detached signature.
Below I copy/pasted the same verification with 1 and with 2 arguments. To me
the results looks the same
(If the signature and the file name do not match, then my approach will not
work at all, ofcourse)
> > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld
> > ondertekend te zijn
> > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA
> > sleutel-ID A7A0233C
> > gpg: Goede handtekening van "Jeremy Boynes <jboy...@apache.org>"
> > gpg: Noot: Deze sleutel is vervallen!
> > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A
> > D08E A7A0 233C
> >
> > It's in dutch :-)
>
> Executing the below command before the above one should switch it to English.
> LANG=C
>
> Maybe it also needs export LANG, I do not remember.
>
The moment I read your comment I thought:"Could've done that myself"
So ... now in enlish, so everyone can read it:
martijn@radijs:~/external_documents/Downloads$ export LANG=C
martijn@radijs:~/external_documents/Downloads$ gpg --verify
taglibs-standard-compat-1.2.5.jar.asc
gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar'
gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C
gpg: Good signature from "Jeremy Boynes <jboy...@apache.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C
martijn@radijs:~/external_documents/Downloads$
And with the signed file as a second argument:
martijn@radijs:~/external_documents/Downloads$ gpg --verify
taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar
gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C
gpg: Good signature from "Jeremy Boynes <jboy...@apache.org>"
gpg: Note: This key has expired!
Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C
martijn@radijs:~/external_documents/Downloads$
> > The message is telling me that the file is signed by key A7A0233C
> > (I never did sign this key myself..there is no trust..so gpg also tells me
> > that)
> > Then gpg tells me "This key is expired"!!!
> >
> > I'm not sure what to think of this...Is this a problem, or am I just to
> > paranoid?
> >
> > Can anyone shine his/her light on this.
>
>
> $ gpg --list-keys A7A0233C
>
> pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25]
> uid Jeremy Boynes <jboy...@apache.org>
>
>
> 1. Binaries released and signed before February 2016 are OK.
>
Thanks, ultimately, that is what I wanted to know :-)
> 2. Jeremy needs to do something with his key before signing a next
> release (if there ever be one).
> As said elsewhere, it is possible to change expiration date of a key
> without a need to generate a new one,
>
Should I contact Jeremy? Is he reading this list?
(Or is this of such low concern, that I should not bother?)
> http://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg
>
> http://superuser.com/questions/813421/can-you-extend-the-expiration-date-of-an-already-expired-gpg-key
>
> https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
Met vriendelijke groet,
Martijn Bos
+31 6 39477001
(Public pgp-key : http://maboc.nl/pubkey.maboc.asc)
signature.asc
Description: Digital signature
