PGP verifying Tomcat release

Hello. I have done this before but for some reason I'm stumped. I am trying to verify Tomcat zip download. I donloaded the zip and the pgp link (asc file). On the command line in the GPG executable directory, I enter...

gpg --verify   apache-tomcat-9.0.84-windows-x64.zip.asc   apache-tomcat-9.0.84-windows-x64.zip

and it returns

gpg: Signature made 12/7/2023 2:23:44 PM Eastern Standard Time
gpg: using RSA key 48F8..blah...blah
gpg: Can't check signature: No public key

is there something up with what I downloaded? thank you.

It looks like the issue is that you no not have the corresponding public key for the private key used to sign the package.

I'm not sure who/what are the trusted sources for these keys, but as a test, I imported the public key from the pgpkeys.mit.edu keyserver, and I was able to verify the package (but not able to verify the public key).

gpg --verify   apache-tomcat-9.0.84-windows-x64.zip.asc   apache-tomcat-9.0.84-windows-x64.zip gpg: Signature made Thu 07 Dec 2023 11:30:24 AM PST gpg:                using RSA key 48F8E69F6390C9F25CFEDCD268248959359E722B gpg: Can't check signature: No public key gpg --keyserver pgpkeys.mit.edu --recv-key 48F8E69F6390C9F25CFEDCD268248959359E722B gpg: key 68248959359E722B: 2 signatures not checked due to missing keys gpg: key 68248959359E722B: public key "Remy Maucherat <remm@apache.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg:               imported: 1 gpg --verify   apache-tomcat-9.0.84-windows-x64.zip.asc   apache-tomcat-9.0.84-windows-x64.zip gpg: Signature made Thu 07 Dec 2023 11:30:24 AM PST gpg:                using RSA key 48F8E69F6390C9F25CFEDCD268248959359E722B gpg: Good signature from "Remy Maucherat <remm@apache.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 48F8 E69F 6390 C9F2 5CFE  DCD2 6824 8959 359E 722B

Hi. Did it take forever to return that key? I tried that command line as well as a search on the mit site web interface and everything just hangs then fails.

ok, I think I imported 1 key. Had a character off. I'll try to verify again.

Where is the imported key stored?

This might help: http://www.pmsas.pr.gov.br/wp-content/?id=coderanch-1z0-809&exam=t/544066/application-servers/verify-Tomcat-files-PGP

Also, I think the code-signing keys are here: https://downloads.apache.org/tomcat/tomcat-9/KEYS

ok, thank you for the help, guys. With those links and https://www.apache.org/info/verification.html I was able to get it down to where Ron was and need to verify if that signer is real. I think there is a list somewhere mapping public key with signer name.

Hello. I was just coming back to this and was wondering if anybody was having trouble with the verifying the public key signer step...i,e, searching http://pgpkeys.mit.edu/ to match fingerprint from downloaded public key with web of trust fingerprint on the mit server?

I tried searching "Remy", "remm@apache.org" and various segments of the fingerprint below...

Primary key fingerprint: 48F8 E69F 6390 C9F2 5CFE  DCD2 6824 8959 359E 722B

It keeps timing out/throwing Exception raised/etc. I thought I remembered at this step the mit server is supposed to return a list of public keys and fingerprints and you find the match to verify.

thank you.

I got kind of curious about this myself this morning. It has been a long time since I meddled with that stuff so some refreshing was in order.

I got to thinking about the chain of trust on my own gpg key and realized that I probably haven't got it on file on any of the public key repositories. But you should be able to trust it because you can download it from a secured URL whose chain of trust goes through LetsEncrypt.

In much the same way you should be able to trust files downloaded directly from https://tomcat.apache.org/download-90.cgi. It's SSL-secured by the master apache.org LetsEncrypt cert until March 2024 so in order to corrupt the files you download from there, the actual Tomcat website would have to be compromised, which I don't think has ever happened.

Now on the other hand, if you want to import the Tomcat code-signers keys, you just have to import the KEYS file from the Tomcat site (which, again, is SSL-secured).

The instructions given are out of date, however as they pertain to pgp and pgp is no longer supplied for Linux due, I think, to its proprietary nature. So instead of this command:
pgp <~/Desktop/KEYS
Do this, instead:
gpg --import <~/Desktop/KEYS
That's assuming that you used your browser to save https://tomcat.apache.org/download-90.cgi as ~/Desktop/KEYS. Adjust the filename and path to suit your convenience. You may be able to pull straight from the URL if you RTFM but this was an experiment that worked, so good enough for me.

The gpg utility will take pretty much any text file in because it is looking for armor blocks. Any lines outside of those blocks is simply ignored.

Now my keyring contains these additions:pub   dsa1024 2004-09-12 [SC]
     DCFD35E0BF8CA7344752DE8B6FB21E8933C60243
uid           [ unknown] Mark E D Thomas <markt@apache.org>
uid           [ unknown] Mark E D Thomas <med.thomas@virgin.net>
uid           [ unknown] Mark E D Thomas <mark.thomas@springsource.com>
sub   elg2048 2004-09-12 [E]

pub   rsa4096 2009-09-18 [SC]
     A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
uid           [ unknown] Mark E D Thomas <markt@apache.org>
sub   rsa4096 2009-09-18 [E]

pub   rsa4096 2019-05-05 [SC]
     48F8E69F6390C9F25CFEDCD268248959359E722B
uid           [ unknown] Remy Maucherat <remm@apache.org>
sub   rsa4096 2019-05-05 [E]

and I should be able to run gpg verify on my downloads.