Return-Path: 
 <user-return-8083-apmail-zookeeper-user-archive=zookeeper.apache.org@zookeeper.apache.org>
X-Original-To: apmail-zookeeper-user-archive@www.apache.org
Delivered-To: apmail-zookeeper-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B7DE21749A
	for <apmail-zookeeper-user-archive@www.apache.org>;
 Tue,  7 Oct 2014 08:36:15 +0000 (UTC)
Received: (qmail 60175 invoked by uid 500); 7 Oct 2014 08:36:15 -0000
Delivered-To: apmail-zookeeper-user-archive@zookeeper.apache.org
Received: (qmail 60127 invoked by uid 500); 7 Oct 2014 08:36:15 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 60113 invoked by uid 99); 7 Oct 2014 08:36:15 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org)
 (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Oct 2014 08:36:15 +0000
Received: from ip-10-56-193-148.eu-west-1.compute.internal
 (ec2-54-247-85-211.eu-west-1.compute.amazonaws.com [54.247.85.211])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with
 ESMTPSA id 798561A0031
	for <user@zookeeper.apache.org>; Tue,  7 Oct 2014 08:36:09 +0000 (UTC)
References: 
 <CAB_jBhjxmUumUJB7jYZUE1pNTH=YaSsfgigFk4nQUH8BoQhm=w@mail.gmail.com>
From: Ivan Kelly <ivank@apache.org>
To: user@zookeeper.apache.org
Subject: Re: verifying downloads of release tarballs
Date: Tue, 07 Oct 2014 08:35:24 +0000
In-reply-to: 
 <CAB_jBhjxmUumUJB7jYZUE1pNTH=YaSsfgigFk4nQUH8BoQhm=w@mail.gmail.com>
Message-ID: <87zjd8mg4c.fsf@ip-10-56-193-148.eu-west-1.compute.internal>
MIME-Version: 1.0
Content-Type: text/plain

The keys in use should be in 
https://svn.apache.org/repos/asf/zookeeper/dist/KEYS

-Ivan

Warren Turkal writes:

> Hey everyone,
>
> I have a couple questions about verifying the tarballs I download for
> Zookeeper.
>
> I don't see any listing of an official release manager identity and their
> pub key. Therefore, I don't know which key I should be getting to verify a
> signature against. Is there a list somewhere of the release manager
> identity. Ideally, I'd also be able to get the key from an Apache site
> protected by TLS (maybe even HTTPS). Am I just missing this info? If so,
> where is the info?
>
> Also, I don't see corresponding .asc signature files that can be used to
> verify the authenticity of the archives even if I did have a pub key. Are
> these located in some special location other than in the directories along
> side the released tarballs?
>
> Alternatively, is there a better way to retrieve crypto-secured releases
> than just downloading the release tarballs?
>
> Thanks,
> wt