Roberto,

On 3/20/25 7:52 AM, Roberto Resoli wrote:
Il 19/03/25 20:48, Mark Thomas ha scritto:
On 19/03/2025 18:51, Mark Thomas wrote:

...


I did receive a request to verify my key from a key server (I forget which) a few weeks ago which I ignored since I hadn't recently uploaded any keys.

OK.

This is a *very* old key that I haven't used to sign releases in years.
DCFD 35E0 BF8C A734 4752  DE8B 6FB2 1E89 33C6 0243
 >> My current key is:
A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7

Hello Thomas,

I got the fingerprints in my original post from the KEYS file containing the signing keys for this download

https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.102/bin/apache- tomcat-9.0.102.tar.gz

Signature: https://downloads.apache.org/tomcat/tomcat-9/v9.0.102/bin/ apache-tomcat-9.0.102.tar.gz.asc

(released this month)

That is:

https://downloads.apache.org/tomcat/tomcat-9/KEYS

Both the above keys are listed in at least one KEYS file for Tomcat releases.

Your current key

A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7

is listed in that file, after the old

DCFD 35E0 BF8C A734 4752  DE8B 6FB2 1E89 33C6 0243

The tarball is signed by Remy Maucherat <r...@apache.org> with key fingerprint

48F8E69F6390C9F25CFEDCD268248959359E722B

Present in the file.

---

I tried also to check for the keys mentioned in the KEYS file for tomcat10:

https://downloads.apache.org/tomcat/tomcat-10/KEYS

Yor old key here is no more mentioned.

The actual key (associated to Christopher Schultz <ch...@christopherschultz.net>) fingerprint for the signature of

https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.39/bin/apache- tomcat-10.1.39.tar.gz

for instance, is 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458

which is the fingerprint of a subkey of the principal

5C3C5F3E314C866292F359A8F3AD5C94A67F707E

The verification gets, *after* having imported the key:

$ LANG=en_US gpg --verify apache-tomcat-10.1.39.tar.{gz.asc,gz}
gpg: Signature made Tue Mar  4 20:03:35 2025 CET
gpg:                using RSA key 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458
gpg: Good signature from "Christopher Schultz <ch...@christopherschultz.net>" [unknown] gpg:                 aka "Christopher Schultz <cschu...@chadis.com>" [unknown] gpg:                 aka "Christopher Schultz <schu...@apache.org>" [unknown] gpg:                 aka "Christopher Schultz <christopher.schu...@alumni.rose-hulman.edu>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5C3C 5F3E 314C 8662 92F3  59A8 F3AD 5C94 A67F 707E
     Subkey fingerprint: 3262 A061 C42F C4C7 BBB5  C25C 1CF0 293F A53C A458

So the signing fingerprint may not be the same of that of the principal key as metioned in the KEYS file.

Correct.

If the community would like me to do so, I can put the subkey into the KEYS file as well.

Both the above keys should be signed by multiple ASF committers.


The following keys are know to be fake/malicious and should NEVER be trusted:
B6DF 153D 456B 3072 959B 7E11 B6FB 7A02 2F60 59E7
B65C A985 6C76 39CD 9D17 7D0E 5385 81D4 33C6 0243

Any other keys associated with ma...@apache.org should be treated as suspicious.

Ok, thanks for these information!

I'll let Rémy comment on his keys.

Generally, I'd recommend obtaining keys for ASF releases from the associated KEYS file for that release. We watch all commits carefully but any changes to the KEYS files get looked at very closely.

I view the key servers as less reliable as there have been fake keys in my name uploaded in the past and I am not convinced it is no longer possible.

Yes; I guess that usual check of the signatures of the key by others (the web of trust) remains the main criterion.

+1

I and others attempt to participate in PGP keysigning exercises at any ASF events we attend. During those exercises, we confirm exact key signatures (to avoid signing fake or malicious keys uploaded by others), confirm identities (typically using a government-issued form of identity such as a passport), and sign each others keys.

So while some people will sign a key based upon minimal authentication criteria (e.g. I downloaded the key from a key server and signed it because I recognized the person's email address), ASF committers will (almost?) never do that. I personally have never signed the key of someone I had not met in person as described above.

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to