Versions Compared

Old Version 2

changes.mady.by.user Hernan Cunico

Saved on

compared with

New Version 3

changes.mady.by.user Hernan Cunico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Validating Authenticity of a Key

You may download public keys for the Apache Geronimo developers from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache Geronimo Project.

The crucial step to validation is to confirm the key fingerprint of the public key.

% gpg --fingerprint A46C4CA1
pub 1024D/A46C4CA1 2006-01-05
Key fingerprint = 9056 B710 F1E3 3278 0DE7 AF34 CBAE BE39 A46C 4CA1
uid Matt Hogstrom <hogstrom@apache.org>
sub 2048g/2FD8C3E0 2006-01-05

A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Most of the Apache Geronimo developers have attempted to sign each others' keys (usually with face-to-face validation). Therefore, in order to enter the web of trust, you should only need to validate one person in our web of trust. (Hint: all of our developers' keys are in the KEYS file.)

Since the developers are usually quite busy, you may not immediately find success in someone who is willing to meet face-to-face (they may not even respond to your emails because they are so busy!). If you do not have a developer nearby or have trouble locating a suitable person, please send an email to the address of the key you are attempting to verify. They may be able to find someone who will be willing to validate their key or arrange alternate mechanisms for validation.

Once you have entered the web of trust, you should see the following upon verifying the signature of a release.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:25:36 2006 AUEST using DSA key ID A46C4CA1
gpg: Good signature from "Matt Hogstrom <hogstrom@apache.org>"