Forgive me if this might be a bit off-topic. But I haven't found a lot
of resources on the subject (and that includes a search of List archives).
For years now, I've been ignoring the note on the Tomcat download pages
to verify the downloads, preferably by their PGP signatures, before
putting them into service.
This time, though, I decided to follow the instructions. I installed
GPG, imported the KEYS file, and checked the signatures.
But everything I've read about GPG, and PGP signature checking, says
it's meaningless unless the keys are verified as genuine.
Is there a procedure for doing this? A few days ago, I privately emailed
a well-known Tomcat developer, one who has helped me with technical
matters in the past, asking for a fingerprint verification. I've heard
nothing back (then again, he hasn't been heard from on-List in a few
days, so he may be away).
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
