Roberto,
On 3/20/25 7:52 AM, Roberto Resoli wrote:
Il 19/03/25 20:48, Mark Thomas ha scritto:
On 19/03/2025 18:51, Mark Thomas wrote:
...
I did receive a request to verify my key from a key server (I forget
which) a few weeks ago which I ignored since I hadn't recently
uploaded any keys.
OK.
This is a *very* old key that I haven't used to sign releases in years.
DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243
>> My current key is:
A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7
Hello Thomas,
I got the fingerprints in my original post from the KEYS file containing
the signing keys for this download
https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.102/bin/apache-
tomcat-9.0.102.tar.gz
Signature: https://downloads.apache.org/tomcat/tomcat-9/v9.0.102/bin/
apache-tomcat-9.0.102.tar.gz.asc
(released this month)
That is:
https://downloads.apache.org/tomcat/tomcat-9/KEYS
Both the above keys are listed in at least one KEYS file for Tomcat
releases.
Your current key
A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7
is listed in that file, after the old
DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243
The tarball is signed by Remy Maucherat <r...@apache.org> with key
fingerprint
48F8E69F6390C9F25CFEDCD268248959359E722B
Present in the file.
---
I tried also to check for the keys mentioned in the KEYS file for tomcat10:
https://downloads.apache.org/tomcat/tomcat-10/KEYS
Yor old key here is no more mentioned.
The actual key (associated to Christopher Schultz
<ch...@christopherschultz.net>) fingerprint for the signature of
https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.39/bin/apache-
tomcat-10.1.39.tar.gz
for instance, is 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458
which is the fingerprint of a subkey of the principal
5C3C5F3E314C866292F359A8F3AD5C94A67F707E
The verification gets, *after* having imported the key:
$ LANG=en_US gpg --verify apache-tomcat-10.1.39.tar.{gz.asc,gz}
gpg: Signature made Tue Mar 4 20:03:35 2025 CET
gpg: using RSA key 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458
gpg: Good signature from "Christopher Schultz
<ch...@christopherschultz.net>" [unknown]
gpg: aka "Christopher Schultz
<cschu...@chadis.com>" [unknown]
gpg: aka "Christopher Schultz
<schu...@apache.org>" [unknown]
gpg: aka "Christopher Schultz
<christopher.schu...@alumni.rose-hulman.edu>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 5C3C 5F3E 314C 8662 92F3 59A8 F3AD 5C94 A67F 707E
Subkey fingerprint: 3262 A061 C42F C4C7 BBB5 C25C 1CF0 293F A53C
A458
So the signing fingerprint may not be the same of that of the principal
key as metioned in the KEYS file.
Correct.
If the community would like me to do so, I can put the subkey into the
KEYS file as well.
Both the above keys should be signed by multiple ASF committers.
The following keys are know to be fake/malicious and should NEVER be
trusted:
B6DF 153D 456B 3072 959B 7E11 B6FB 7A02 2F60 59E7
B65C A985 6C76 39CD 9D17 7D0E 5385 81D4 33C6 0243
Any other keys associated with ma...@apache.org should be treated as
suspicious.
Ok, thanks for these information!
I'll let Rémy comment on his keys.
Generally, I'd recommend obtaining keys for ASF releases from the
associated KEYS file for that release. We watch all commits carefully
but any changes to the KEYS files get looked at very closely.
I view the key servers as less reliable as there have been fake keys
in my name uploaded in the past and I am not convinced it is no longer
possible.
Yes; I guess that usual check of the signatures of the key by others
(the web of trust) remains the main criterion.
+1
I and others attempt to participate in PGP keysigning exercises at any
ASF events we attend. During those exercises, we confirm exact key
signatures (to avoid signing fake or malicious keys uploaded by others),
confirm identities (typically using a government-issued form of identity
such as a passport), and sign each others keys.
So while some people will sign a key based upon minimal authentication
criteria (e.g. I downloaded the key from a key server and signed it
because I recognized the person's email address), ASF committers will
(almost?) never do that. I personally have never signed the key of
someone I had not met in person as described above.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org