I got kind of curious about this myself this morning. It has been a long time since I meddled with that stuff so some refreshing was in order.
I got to thinking about the chain of trust on my own gpg key and realized that I probably haven't got it on file on any of the public key repositories. But
you should be able to trust it because you can download it from a secured URL whose chain of trust goes through LetsEncrypt.
In much the same way you should be able to trust files downloaded directly from
https://tomcat.apache.org/download-90.cgi. It's SSL-secured by the master apache.org LetsEncrypt cert until March 2024 so in order to corrupt the files you download from there, the actual Tomcat website would have to be compromised, which I don't think has ever happened.
Now on the other hand, if you want to import the Tomcat code-signers keys, you just have to import the KEYS file from the Tomcat site (which, again, is SSL-secured).
The instructions given are out of date, however as they pertain to pgp and pgp is no longer supplied for Linux due, I think, to its proprietary nature. So instead of this command:
Do this, instead:
That's assuming that you used your browser to save
https://tomcat.apache.org/download-90.cgi as
~/Desktop/KEYS. Adjust the filename and path to suit your convenience. You may be able to pull straight from the URL if you RTFM but this was an experiment that worked, so good enough for me.
The gpg utility will take pretty much any text file in because it is looking for armor blocks. Any lines outside of those blocks is simply ignored.
Now my keyring contains these additions:pub dsa1024 2004-09-12 [SC]
DCFD35E0BF8CA7344752DE8B6FB21E8933C60243
uid [ unknown] Mark E D Thomas <
markt@apache.org>
uid [ unknown] Mark E D Thomas <
med.thomas@virgin.net>
uid [ unknown] Mark E D Thomas <
mark.thomas@springsource.com>
sub elg2048 2004-09-12 [E]
pub rsa4096 2009-09-18 [SC]
A9C5DF4D22E99998D9875A5110C01C5A2F6059E7
uid [ unknown] Mark E D Thomas <
markt@apache.org>
sub rsa4096 2009-09-18 [E]
pub rsa4096 2019-05-05 [SC]
48F8E69F6390C9F25CFEDCD268248959359E722B
uid [ unknown] Remy Maucherat <
remm@apache.org>
sub rsa4096 2019-05-05 [E]
and I should be able to run gpg verify on my downloads.