On 19/03/2025 18:51, Mark Thomas wrote:
On 19/03/2025 14:52, Roberto Resoli wrote:
Hello,
I am trying to verify GPG signatures of recent tomcat downloads, but I
noted that both
Mark E D Thomas <ma...@apache.org>
DCFD35E0BF8CA7344752DE8B6FB21E8933C60243
Remy Maucherat <r...@apache.org>
48F8E69F6390C9F25CFEDCD268248959359E722B
Are no more available on the https://keys.openpgp.org server I use to
look on. Is anyone aware of the reason?
Both keys are still present on https://keyserver.ubuntu.com
Rob,
Let me take a look. As far as I am aware, those keys should never be
removed once uploaded.
I did receive a request to verify my key from a key server (I forget
which) a few weeks ago which I ignored since I hadn't recently uploaded
any keys.
OK.
This is a *very* old key that I haven't used to sign releases in years.
DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243
My current key is:
A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7
Both the above keys are listed in at least one KEYS file for Tomcat
releases.
Both the above keys should be signed by multiple ASF committers.
The following keys are know to be fake/malicious and should NEVER be
trusted:
B6DF 153D 456B 3072 959B 7E11 B6FB 7A02 2F60 59E7
B65C A985 6C76 39CD 9D17 7D0E 5385 81D4 33C6 0243
Any other keys associated with ma...@apache.org should be treated as
suspicious.
I'll let Rémy comment on his keys.
Generally, I'd recommend obtaining keys for ASF releases from the
associated KEYS file for that release. We watch all commits carefully
but any changes to the KEYS files get looked at very closely.
I view the key servers as less reliable as there have been fake keys in
my name uploaded in the past and I am not convinced it is no longer
possible.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
