how in the heck is it possible to verify the signature of a distribution for apache Tomcat or ant? i've been using GnuPG and it doesn't seem to do the trick, despite warnings all over the apache site to verify files first.
using windows...if that helps.
STEPS:
1) download binary version .exe / .zip / .asc / KEYS file
2) gpg --import KEYS
3) gpg --verify *.asc file
4) the best i can get is a msg. stating
"This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner." ...and a primary key fingerprint.
I assume that is NOT a valid verification.