Return-Path: Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: (qmail 1540 invoked from network); 5 Mar 2007 01:48:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Mar 2007 01:48:16 -0000 Received: (qmail 61923 invoked by uid 500); 5 Mar 2007 01:48:25 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 61624 invoked by uid 500); 5 Mar 2007 01:48:23 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Delivered-To: moderator for docs@httpd.apache.org Received: (qmail 56067 invoked by uid 99); 5 Mar 2007 01:38:30 -0000 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of austin.russ@gmail.com designates 66.249.92.170 as permitted sender) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=k0UxR7Avy2QRAxYgzrJvdyye5/2u4pdnluyl6hSbgrJt7lJqzKO3c/8bvg2CLDG9tlD/hsmGgEsMdqwNZwQepKtYz9FKPAuKThwt5CKGaleZRdPtDQ+YyxL235Tz9hm4taWtUgvj3HNiQsJ7TBuVRw2OAvfdRkOjiGTf5CZVoVg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=pjPvq4N3Cc68vcNJBVAHeRDW7C8E2Q/Nn/NqYmnBHwoZfY0mmtchxOWVJeadgg0BselHyixH5RLFTSTcEARuO3j6+kVy46CysyzH4JAWyoR6gN83b6vKTd+kdE6kCmNoPDpQtWM077P1QQ4g929nU4WmoKOxdBYgiP5pgRXLu2E= Message-ID: Date: Sun, 4 Mar 2007 20:37:57 -0500 From: "Russ Austin" To: docs@httpd.apache.org Subject: Fwd: Bad key from your id on Apache Windows Binary In-Reply-To: <45E2103B.5000106@rowe-clan.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_114333_4973972.1173058677713" References: <45E0F3E3.8010004@rowe-clan.net> <45E2103B.5000106@rowe-clan.net> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_114333_4973972.1173058677713 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello all, Just ran into a small problem and struggled to find the solution. I even got Bill Rowe, Jr. involved, and on his suggestion I am emailing you all to explain it. I recently had a need to get a web server running on my personal pc for testing. As I started to use Apache somewhere around 1995 and have served countless pages with it over the years, I naturally went to the site to grab a copy. I got the latest version of the Windows XP (don't boo me, but I haven't run Linux in a few years at home - sorry) binary. I also grabbed the ascii signature and the pgp key file from the main distribution site, as instructed. As I also haven't used pgp in years, I went out first and grabbed a copy of GnuPG and installed it. Now the Apache Download page states "The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the ascsignature file for the relevant distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using % gpg --import KEYS % gpg --verify apache_1.3.24.tar.gz.asc - httpd-2.2.4.tar.gz is signed by William Rowe 10FDE075 - httpd-2.0.59.tar.gz is signed by William Rowe 10FDE075 - httpd-1.3.37.tar.gz is signed by William Rowe 10FDE075" I followed the directions (except I was running the Windows version of GnuGP so followed in the gui way). But, everytime I tried to verify the signature I would be told, literally that the signature was "bad" though it showed the correct Key ID and User (William Rowe). So, I wrote to Bill and asked him, very politely, if he had seen anything like this. He wrote back and said he didn't know GnuPG and had used PGP and perhaps the problem was there. So, I went out and got a copy of PGP Desktop from their sight and redid the signature verification process. This time, I it declared the apache_2.2.4-win32-x86-no_ssl.msi.asc verification file had an "invalid key". I was lost, so I sent Bill a couple of screen shots and let him know again what I was seeing (he is so kind to help a guy out so readily). Well, while I was waiting to see if Bill had any suggestions, I poked around with things. I upped his trust level, but that didn't clear the problem (and isn't recommended without meeting and getting to know a person). Then, just for kicks, I signed my signature on his key in my key file. Surprise! That cleared the problem. Not intuitive to me, but understandable in hind sight. Well, I wrote another quick note to Bill and he replied with the following: "I notice it says bad key, not bad signature. Interesting. It's a web of trust, now that you trust me, you trust those who's keys I've signed. Since you trusted nobody, you had no trust link to me. The instructions probably deserve another look, perhaps ping the list docs@httpd.apache.org to explain your story and ask for some clarification be added to those instructions :) Bill" Which is why I am writing. Hope it helps. Russ Austin austin.russ@gmail.com -- "The fruits of the Holy Spirit are Love, Joy, Peace, Patience, Kindness, Goodness, Faithfulness, Gentleness and Self-Control. Against these there is no law." The Holy Spirit ------=_Part_114333_4973972.1173058677713 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Hello all,
 
Just ran into a small problem and struggled to find the solution.  I
even got Bill Rowe, Jr. involved, and on his suggestion I am emailing
you all to explain it.
 
I recently had a need to get a web server running on my personal
pc for testing.  As I started to use Apache somewhere around 1995
and have served countless pages with it over the years, I naturally
went to the site to grab a copy.  I got the latest version of the
Windows XP (don't boo me, but I haven't run Linux in a few years
at home - sorry) binary.  I also grabbed the ascii signature and
the pgp key file from the main distribution site, as instructed.  As
I also haven't used pgp in years, I went out first and grabbed a copy
of GnuPG and installed it.  Now the Apache Download page states
"The PGP signatures can be verified using PGP or GPG. First download
 the KEYS as well as the asc signature file for the relevant distribution.
 Make sure you get these files from the main distribution directory, rather
 than from a mirror. Then verify the signatures using
% gpg --import KEYS
% gpg --verify apache_1.3.24.tar.gz.asc
  • httpd-2.2.4.tar.gz is signed by William Rowe 10FDE075
  • httpd-2.0.59.tar.gz is signed by William Rowe 10FDE075
  • httpd-1.3.37.tar.gz is signed by William Rowe 10FDE075"
I followed the directions (except I was running the Windows version
of GnuGP so followed in the gui way).  But, everytime I tried to
verify the signature I would be told, literally that the signature was "bad"
though it showed the correct Key ID and User (William Rowe).
So, I wrote to Bill and asked him, very politely, if he had seen anything
like this.  He wrote back and said he didn't know GnuPG and had used
PGP and perhaps the problem was there.  So, I went out and got a
copy of PGP Desktop from their sight and redid the signature verification
process.  This time, I it declared the apache_2.2.4-win32-x86-no_ssl.msi.asc
verification file had an "invalid key".  I was lost, so I sent Bill a couple of
screen shots and let him know again what I was seeing (he is so kind
to help a guy out so readily).
Well, while I was waiting to see if Bill had any suggestions, I poked around
with things.  I upped his trust level, but that didn't clear the problem (and
isn't recommended without meeting and getting to know a person).  Then,
just for kicks, I signed my signature on his key in my key file.  Surprise!
That cleared the problem.  Not intuitive to me, but understandable in hind
sight.  Well, I wrote another quick note to Bill and he replied with the following:
 
"I notice it says bad key, not bad signature.  Interesting.

It's a web of trust, now that you trust me, you trust those who's keys
I've signed.  Since you trusted nobody, you had no trust link to me.

The instructions probably deserve another look, perhaps ping the list
docs@httpd.apache.org to explain your story and ask for some clarification
be added to those instructions :)

Bill"
 
Which is why I am writing.  Hope it helps.
 
Russ Austin

--
"The fruits of the Holy Spirit are Love, Joy, Peace, Patience, Kindness, Goodness, Faithfulness, Gentleness and Self-Control.  Against these there is no law."  The Holy Spirit
------=_Part_114333_4973972.1173058677713--