-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill,

On 1/20/12 3:39 PM, Bill Rutledge wrote:
> For apache-tomcat-7.0.23-windows-i64.zip, I used Kleopatra to
> import the KEYS

Do you mean this file?

http://www.apache.org/dist/tomcat/tomcat-7/KEYS

> and check the validity of the signatures in 
> apache-tomcat-7.0.23-windows-i64.zip.asc and got the following.
> Does this look like I’ve made some mistake in this process?

WFM:

$ gpg --verify apache-tomcat-7.0.23-windows-i64.zip.asc
apache-tomcat-7.0.23-windows-i64.zip
gpg: Signature made Sun Nov 20 15:36:27 2011 EST using RSA key ID 2F6059E7
gpg: Good signature from "Mark E D Thomas <ma...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60
59E7

So, if you trust the key with the above fingerprint, you should be fine.

Don't forget that you'll need to sign Mark's key if you want to
actually trust it. Then the warning you see above will go away.

(I don't trust Mark's key, yet, because he hasn't actually
participated in a key signing event that I've attended. No offense, Mark.)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8Z17oACgkQ9CaO5/Lv0PAo9wCfcn/ToHHqZS5ecn/zKeFF6MRj
Mz0AnRfah7kilUPvTXLOJR3wWA4eMuv9
=Hcsn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to