tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Gaspar" <paulo.gas...@krankikom.de>
Subject PGP-keys issue on Tomcat 4.0.3 (via Webmaster)
Date Wed, 24 Apr 2002 19:22:42 GMT
Via webmaster, please check the "Original Message" that follows.

Have fun,
Paulo Gaspar

> -----Original Message-----
> From: Erik Agsjo [mailto:erik.agsjo@noptec.com]
> Sent: Wednesday, April 24, 2002 9:59 AM
> To: webmaster@jakarta.apache.org
> Subject: PGP-keys
> 
> 
> Hi.
> 
> <paranoia>
> 
> I just downloaded the tomcat 4.0.3  binaries for linux (mod_jk-01.so and 
> mod_webapp.so) and decided to verify the signatures provided. They 
> checked out fine, after I added the keys from the "KEYS" file to 
> my keyring.
> 
> I would be nice if these keys were available from a keyserver, I failed 
> to find them anywhere. Also, if the keys were signed by someone else 
> than the keyowner, the point of signing the binaries would be much 
> improved. I mean, if someone has access to the distribution directory 
> and replaces the binaries with copies containing evil trojans, it would 
> be simple for that individual to replace the KEYS file and signatures as 
> well.
> 
> What is worse it that that the signature  for the tgz 
> (jakarta-tomcat-4.0.3.tar.gz) is bad. At least, that is what gpg (GnuPG) 
> 1.0.6 says.
> 
> </paranoia>
> 
> Thanks for you time,
> Erik Agsjo
> Noptec
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message