views:

89

answers:

1

how in the heck is it possible to verify the signature of a distribution for apache Tomcat or ant? i've been using GnuPG and it doesn't seem to do the trick, despite warnings all over the apache site to verify files first.

using windows...if that helps.

STEPS:
1) download binary version .exe / .zip / .asc / KEYS file
2) gpg --import KEYS
3) gpg --verify *.asc file
4) the best i can get is a msg. stating
"This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner." ...and a primary key fingerprint.

I assume that is NOT a valid verification.

+2  A: 

No, it is valid. It just means you haven't marked the key as trusted. It is difficult (but not impossible) to do safely so.

Basically, you need to meet the signer themselves and personally verify the fingerprint or (possibly recursively) trust someone else's verification of such.

Matthew Flaschen