httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Russ Austin" <austin.r...@gmail.com>
Subject Fwd: Bad key from your id on Apache Windows Binary
Date Mon, 05 Mar 2007 01:37:57 GMT
Hello all,

Just ran into a small problem and struggled to find the solution.  I
even got Bill Rowe, Jr. involved, and on his suggestion I am emailing
you all to explain it.

I recently had a need to get a web server running on my personal
pc for testing.  As I started to use Apache somewhere around 1995
and have served countless pages with it over the years, I naturally
went to the site to grab a copy.  I got the latest version of the
Windows XP (don't boo me, but I haven't run Linux in a few years
at home - sorry) binary.  I also grabbed the ascii signature and
the pgp key file from the main distribution site, as instructed.  As
I also haven't used pgp in years, I went out first and grabbed a copy
of GnuPG and installed it.  Now the Apache Download page states
"The PGP signatures can be verified using PGP or GPG. First download
 the KEYS <http://www.apache.org/dist/httpd/KEYS> as well as the
ascsignature file for the relevant distribution.
 Make sure you get these files from the main distribution
directory<http://www.apache.org/dist/httpd/>,
rather
 than from a mirror. Then verify the signatures using
% gpg --import KEYS
% gpg --verify apache_1.3.24.tar.gz.asc

   - httpd-2.2.4.tar.gz is signed by William Rowe 10FDE075
   - httpd-2.0.59.tar.gz is signed by William Rowe 10FDE075
   - httpd-1.3.37.tar.gz is signed by William Rowe 10FDE075"

I followed the directions (except I was running the Windows version
of GnuGP so followed in the gui way).  But, everytime I tried to
verify the signature I would be told, literally that the signature was "bad"
though it showed the correct Key ID and User (William Rowe).
So, I wrote to Bill and asked him, very politely, if he had seen anything
like this.  He wrote back and said he didn't know GnuPG and had used
PGP and perhaps the problem was there.  So, I went out and got a
copy of PGP Desktop from their sight and redid the signature verification
process.  This time, I it declared the apache_2.2.4-win32-x86-no_ssl.msi.asc
verification file had an "invalid key".  I was lost, so I sent Bill a couple
of
screen shots and let him know again what I was seeing (he is so kind
to help a guy out so readily).
Well, while I was waiting to see if Bill had any suggestions, I poked around
with things.  I upped his trust level, but that didn't clear the problem
(and
isn't recommended without meeting and getting to know a person).  Then,
just for kicks, I signed my signature on his key in my key file.  Surprise!
That cleared the problem.  Not intuitive to me, but understandable in hind
sight.  Well, I wrote another quick note to Bill and he replied with the
following:

"I notice it says bad key, not bad signature.  Interesting.

It's a web of trust, now that you trust me, you trust those who's keys
I've signed.  Since you trusted nobody, you had no trust link to me.

The instructions probably deserve another look, perhaps ping the list
docs@httpd.apache.org to explain your story and ask for some clarification
be added to those instructions :)

Bill"

Which is why I am writing.  Hope it helps.

Russ Austin
austin.russ@gmail.com

-- 
"The fruits of the Holy Spirit are Love, Joy, Peace, Patience, Kindness,
Goodness, Faithfulness, Gentleness and Self-Control.  Against these there is
no law."  The Holy Spirit

Mime
View raw message