Arno,

On 8/26/22 08:50, Arno Hautala wrote:
I’m trying to verify the PGP signatures for the 9.0.65 release, but the public 
key is missing from the KEYS.txt file and it isn’t available on any keyservers 
that I’ve checked.

Can someone point me in the right direction or update the KEYS.txt?

Thanks for your help,
–Arno


$ sha512sum -c apache-tomcat-9.0.65.tar.gz.sha512.txt
apache-tomcat-9.0.65.tar.gz: OK
$ gpg --verify apache-tomcat-9.0.65.tar.gz{.asc.txt,}
gpg: Signature made Thu Jul 14 08:36:27 2022 EDT
gpg:                using RSA key 48F8E69F6390C9F25CFEDCD268248959359E722B
gpg: requesting key 68248959359E722B from hkp server pgp.mit.edu
gpg: Can't check signature: No public key

You aren't using the KEYS file in the above command. gpg works with keyrings, and you have to import then use it:

# Import
$ gpg --import --no-default-keyring --primary-keyring apache-9.0-keys < KEYS

# Verify against the custom key ring
$ gpg --keyring apache-9-keys --no-default-keyring --verify apache-tomcat-9.0.65.tar.gz.asc

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to