|Index > Development > Verifying Apache Geronimo Releases||User List | Dev List | Wiki | Issue Tracker|
Verifying Geronimo Releases
All official releases of code distributed by the Apache Geronimo Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than our mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)
The following example details how signature interaction works. In this example, it is assumed that you already have downloaded
First, we will check the detached signature
We don't have the release manager's public key (A46C4CA1) in our local system. You now need to retrieve the public key from a key server. One popular server is
In this example, you have now received a public key for an entity known as 'Matt Hogstrom <email@example.com>' However, you have no way of verifying this key was created by the person known as Matt Hogstrom. But, let's try to verify the release signature again.
At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key A46C4CA1 was created by the real Matt Hogstrom.
Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.
Validating Authenticity of a Key
You may download public keys for the Apache Geronimo developers from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache Geronimo Project.
The crucial step to validation is to confirm the key fingerprint of the public key.
A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.
Most of the Apache Geronimo developers have attempted to sign each others' keys (usually with face-to-face validation). Therefore, in order to enter the web of trust, you should only need to validate one person in our web of trust. (Hint: all of our developers' keys are in the KEYS file.)
Since the developers are usually quite busy, you may not immediately find success in someone who is willing to meet face-to-face (they may not even respond to your emails because they are so busy!). If you do not have a developer nearby or have trouble locating a suitable person, please send an email to the address of the key you are attempting to verify. They may be able to find someone who will be willing to validate their key or arrange alternate mechanisms for validation.
Once you have entered the web of trust, you should see the following upon verifying the signature of a release.