Sorry, I meant missing public key, not private key. I checked the public key fingerprints in the Dockerfile vs what's Apache KEYS and David has 2 public keys on KEYS but only one of them is in the Dockerfile fingerprints list. I've added the newer one and sig verification is working now.
Sorted! Thanks -- Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html
