Re: Tomcat 8 releases - where to get correct key

Thu, 11 Aug 2022 10:30:06 -0700 

Petr,
Please don't email committers directly. I'm replying to the Tomcat users' mailing list with my response, as it's useful information for everyone. 

On 8/11/22 09:23, Petr Sumbera wrote:

I have a problem where to get correct key for previous version.

Can you please advice where to get correct key for validation?

>
> Source

> 
https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.81/src/apache-tomcat-8.5.81-src.tar.gz...

>      downloading...
>      validating signature... failed
> gpg: Warning: using insecure memory!
> gpg: Signature made Wed Jun  8 23:39:12 2022 CEST

> gpg:                using RSA key 
3262A061C42FC4C7BBB5C25C1CF0293FA53CA458

>
> gpg: requesting key 1CF0293FA53CA458 from hkp server keys.gnupg.net
> gpg: Can't check signature: No public key

You have a couple of options.


The first option would be to simply download the key from a public key 
server. Something like this:


$ gpg --receive-keys 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458


The second option is to fetch the KEYS file from any of the following 
places:


1. https://downloads.apache.org/tomcat/tomcat-8/KEYS

2. (During Voting) 
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.81/KEYS
   (After Release) 
https://dist.apache.org/repos/dist/release/tomcat/tomcat-8/v8.5.81/KEYS

3. https://github.com/apache/tomcat/tree/8.5.81/KEYS
4. apache-tomcat-8.5.81-src.tar.gz/KEYS
5. apache-tomcat-8.5.81-src.zip/KEYS


(Really, you shouldn't trust any KEYS file you get in a distribution 
because the distribution could have modified the KEYS file to include 
its own key ... and then changed all the signatures.)



If you visit the Tomcat downloads page[1] and read the "Release 
Integrity" section, you'll see a link to the KEYS file there. Note that 
KEYS files should always be downloaded directly from Apache, and not 
from anywhere else (okay, Github is probably fine).


Hope that helps,
-chris

[1] https://tomcat.apache.org/download-80.cgi

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org















    











					Reply via email to