james-server-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Ashby <d.as...@alchemy.co.nz>
Subject Problem with GPG verifiction of Release james-binary-2.3.2.tar.gz
Date Thu, 28 Jun 2012 02:48:43 GMT

I've downloaded the following files from the main Apache FTP server:


And tried verifying the signature for the download using:

gpg --import KEYS
gpg --verify apache-james-2.3.2.tar.gz.asc
gpg: Signature made Tue 11 Aug 2009 08:35:01 NZST using RSA key ID A6EE6908
gpg: Can't check signature: public key not found

This doesn't look good!

Looking through the KEYS file there doesn't appear to be a key for A6EE6908

Fetching the key from pgpkeys.mit.edu produces the following:

gpg --keyserver pgpkeys.mit.edu --recv-key A6EE6908
gpg: requesting key A6EE6908 from hkp server pgpkeys.mit.edu
gpg: key A6EE6908: public key "Robert Burrell Donkin (CODE SIGNING KEY) 
<rdonkin@apache.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

And the fingerprint looks like this:

gpg --fingerprint A6EE6908
pub   8192R/A6EE6908 2009-08-07
       Key fingerprint = 597C 729B 0237 1932 E77C  B9D5 EDB8 C082 A6EE 6908
uid                  Robert Burrell Donkin (CODE SIGNING KEY) 
sub   8192R/B800EFC1 2009-08-07

Robert Burrell Donkin does show up in the KEYS file but with a different 
key (B1313DE2).

Is there something dodgy going on here or is there a problem with the 
key used to sign the download?  It looks like Robert Donkin may have two 
keys and has used the wrong one to sign the .tgz archive?



Purpose Built Software

*Dean Ashby *
Senior Software Engineer

118 Wrights Road, PO Box 2386, Christchurch 8140, New Zealand
Telephone +64 3 281 8166 ext 763
Mobile +64 21 388 414
Facsimile +64 3 338 0420

Email d.ashby@alchemy.co.nz

View raw message