You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Verifying Geronimo Releases

All official releases of code distributed by the Apache Geronimo Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.

You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than our mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)

Checking Signatures

The following example details how signature interaction works. In this example, it is assumed that you already have downloaded geronimo-tomcat-j2ee-1.1.tar.gz (the release) and geronimo-tomcat-j2ee-1.1.tar.gz.asc (the detached signature).

This example uses The GNU Privacy Guard. Any OpenPGP-compliant program should work successfully.

First, we will check the detached signature geronimo-tomcat-j2ee-1.1.tar.gz.asc against our release geronimo-tomcat-j2ee-1.1.tar.gz.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:26:36 2006 AUSEST using DSA key ID A46C4CA1
gpg: Can't check signature: public key not found

We don't have the release manager's public key (A46C4CA1) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface). The public key servers are linked together, so you should be able to connect to any key server.

% gpg --keyserver pgpkeys.mit.edu --recv-key A46C4CA1
gpg: requesting key A46C4CA1 from hkp keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key A46C4CA1: public key "Matt Hogstrom <hogstrom@apache.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

In this example, you have now received a public key for an entity known as 'Matt Hogstrom <hogstrom@apache.org>' However, you have no way of verifying this key was created by the person known as Matt Hogstrom. But, let's try to verify the release signature again.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:25:36 2006 AUEST using DSA key ID A46C4CA1
gpg: Good signature from "Matt Hogstrom <hogstrom@apache.org>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Fingerprint: 9056 B710 F1E3 3278 0DE7 AF34 CBAE BE39 A46C 4CA1

At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key A46C4CA1 was created by the real Matt Hogstrom.

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.

  • No labels