2016-04-20 10:23 GMT+03:00 Martijn Bos <mart...@maboc.nl>: > Hi Konstantin, > > On 2016-04-20 01:25:25, Konstantin Kolinko wrote: >> 2016-04-19 23:00 GMT+03:00 Martijn Bos <mart...@maboc.nl>: >> > Hi all, >> > >> > (I post in this list since I downloaded from tomcat.apache.org. If there >> > is a more appropriate list, off course I will try overthere) >> > >> > 1 - Downloaded the taglibs from >> > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 >> >> The "verify" word on above page links to a detailed instruction, >> https://www.apache.org/info/verification.html >> >> > 2 - Downloaded the PGP signatures for the files >> > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the >> > files) >> > 3 - Imported the keys into gpg: >> > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS >> > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes >> > <jboy...@apache.org>" geïmporteerd >> > gpg: Totaal aantal verwerkt: 1 >> > gpg: geïmporteerd: 1 (RSA: 1) >> > martijn@radijs:~/external_documents/Downloads$ >> > >> > 4 - checked the signature of the downloaded files: >> > martijn@radijs:~/external_documents/Downloads$ gpg >> > taglibs-standard-impl-1.2.5.jar.asc >> >> The above verification command is wrong. You must specify 2 file >> arguments to gpg --verify. See the verification.html page that I >> mentioned above. >> > > Thank you. I didn't read the page in the first place, because I thought I > know it all :-( > (Once again I'm proven wrong) > > However (call me stuborn), as far as I understand, in this case my way is not > wrong per se. > The verify is with a detached signature. gpg can deduct (and find) the name > of the file, which was signed, from the name of the detached signature. > > Below I copy/pasted the same verification with 1 and with 2 arguments. To me > the results looks the same > > (If the signature and the file name do not match, then my approach will not > work at all, ofcourse) > >> > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld >> > ondertekend te zijn >> > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA >> > sleutel-ID A7A0233C >> > gpg: Goede handtekening van "Jeremy Boynes <jboy...@apache.org>" >> > gpg: Noot: Deze sleutel is vervallen! >> > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A >> > D08E A7A0 233C >> > >> > It's in dutch :-) >> >> Executing the below command before the above one should switch it to English. >> LANG=C >> >> Maybe it also needs export LANG, I do not remember. >> > > The moment I read your comment I thought:"Could've done that myself" > > So ... now in enlish, so everyone can read it: > > > martijn@radijs:~/external_documents/Downloads$ export LANG=C > martijn@radijs:~/external_documents/Downloads$ gpg --verify > taglibs-standard-compat-1.2.5.jar.asc > gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar' > gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C > gpg: Good signature from "Jeremy Boynes <jboy...@apache.org>" > gpg: Note: This key has expired! > Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C > martijn@radijs:~/external_documents/Downloads$ > > > And with the signed file as a second argument: > > martijn@radijs:~/external_documents/Downloads$ gpg --verify > taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar > gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C > gpg: Good signature from "Jeremy Boynes <jboy...@apache.org>" > gpg: Note: This key has expired! > Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C > martijn@radijs:~/external_documents/Downloads$
There was a blog post, explaining the difference. See a link here: https://bz.apache.org/bugzilla/show_bug.cgi?id=57103#c6 The issue is that you goal is to verify integrity of the "jar" file. The 1-arg invocation validates integrity of "asc" file. Whether that result says anything about the jar depends on what the asc file is. You may be fooled into a false positive. The difference between two invocations is the following line: > gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar' It is good that it is printed, but it is easy to miss the case when that line is missing. >> > The message is telling me that the file is signed by key A7A0233C >> > (I never did sign this key myself..there is no trust..so gpg also tells me >> > that) >> > Then gpg tells me "This key is expired"!!! >> > >> > I'm not sure what to think of this...Is this a problem, or am I just to >> > paranoid? >> > >> > Can anyone shine his/her light on this. >> >> >> $ gpg --list-keys A7A0233C >> >> pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25] >> uid Jeremy Boynes <jboy...@apache.org> >> >> >> 1. Binaries released and signed before February 2016 are OK. >> > > Thanks, ultimately, that is what I wanted to know :-) > > >> 2. Jeremy needs to do something with his key before signing a next >> release (if there ever be one). >> As said elsewhere, it is possible to change expiration date of a key >> without a need to generate a new one, >> > > Should I contact Jeremy? Is he reading this list? > (Or is this of such low concern, that I should not bother?) He may be reading this, but most recent e-mails from him in my mailbox of these mailing lists are dated Oct 2015. I added an item into bugzilla, for better visibility. https://bz.apache.org/bugzilla/show_bug.cgi?id=59359 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
