I just downloaded Tomcat 3.2.3 and before even attempting to build it I have a problem: it appears that the signature on jakarta-tomcat-3.2.3-src.tar.gz doesn't match any of the Apache developer signatures in the KEYS file distributed at http://www.apache.org/dist/ (It also appears that someone else pointed out this very same problem awhile back, but I didn't see any replies in the mailing list archives, so I'll inquire again). I'm using GNUPG 1.0.6 on FreeBSD 4.3 to attempt to check the signature. asc@mauinui: ~> gpg /tmp/jakarta-tomcat-3.2.3-src.tar.gz.asc gpg: Signature made Tue Jul 17 07:38:39 2001 HST using DSA key ID 45ABB45D gpg: Can't check signature: public key not found asc@mauinui: ~> gpg --import KEYS gpg: key 2719AF35: not changed gpg: key A99F75DD: not changed gpg: key A0BB71C1: not changed gpg: key 08C975E5: not changed gpg: key DD919C31: not changed gpg: key 940A64BD: not changed gpg: key 631B5749: not changed gpg: key 49A563D9: not changed gpg: key 2F90A69D: not changed gpg: key BA20321D: no valid user IDs gpg: this may be caused by a missing self-signature gpg: key 26BB437D: not changed gpg: key 45B91DF1: no valid user IDs gpg: this may be caused by a missing self-signature gpg: key 163751F5: not changed gpg: key EE65E321: not changed gpg: key FDE534D1: not changed gpg: key EC140B81: not changed gpg: key F08E012A: not changed gpg: key F88341D9: not changed gpg: key 28AA55C5: not changed gpg: key C808A7BF: not changed gpg: key 00ADEBF5: not changed gpg: key 62C48B29: not changed gpg: key 10FDE075: not changed gpg: Total number processed: 23 gpg: w/o user IDs: 2 gpg: unchanged: 21 Maybe I'm overly paranoid, but I can't help thinking about the not-too-long-ago compromise of the Apache.org site. Any suggestions for how to remedy this problem? Thanks- Aaron
