Verifying Geronimo Releases
All official releases of code distributed by the Apache Geronimo Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than our mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)
Checking Signatures
The following example details how signature interaction works. In this example, it is assumed that you already have downloaded geronimo-tomcat-j2ee-1.1.tar.gz
(the release) and geronimo-tomcat-j2ee-1.1.tar.gz.asc
(the detached signature).
...
Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.
Validating Authenticity of a Key
You may download public keys for the Apache Geronimo developers from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache Geronimo Project.
...