Edit Page
 Index > Development > Verifying Apache Geronimo Releases User List | Dev List | Wiki | Issue Tracker  
News Archive
Project Management
Privacy Policy
Powered by Google Search
Get Involved
Mailing Lists
Discussion Forums
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
Development Tools
Sample Applications
Java EE Specs
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

Verifying Geronimo Releases

All official releases of code distributed by the Apache Geronimo Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.

You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than our mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)

Checking Signatures

The following example details how signature interaction works. In this example, it is assumed that you already have downloaded geronimo-tomcat-j2ee-1.1.tar.gz (the release) and geronimo-tomcat-j2ee-1.1.tar.gz.asc (the detached signature).

This example uses The GNU Privacy Guard. Any OpenPGP-compliant program should work successfully.

First, we will check the detached signature geronimo-tomcat-j2ee-1.1.tar.gz.asc against our release geronimo-tomcat-j2ee-1.1.tar.gz.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:26:36 2006 AUSEST using DSA key ID A46C4CA1
gpg: Can't check signature: public key not found

We don't have the release manager's public key (A46C4CA1) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface). The public key servers are linked together, so you should be able to connect to any key server.

% gpg --keyserver pgpkeys.mit.edu --recv-key A46C4CA1
gpg: requesting key A46C4CA1 from hkp keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key A46C4CA1: public key "Matt Hogstrom <hogstrom@apache.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

In this example, you have now received a public key for an entity known as 'Matt Hogstrom <hogstrom@apache.org>' However, you have no way of verifying this key was created by the person known as Matt Hogstrom. But, let's try to verify the release signature again.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:25:36 2006 AUEST using DSA key ID A46C4CA1
gpg: Good signature from "Matt Hogstrom <hogstrom@apache.org>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Fingerprint: 9056 B710 F1E3 3278 0DE7 AF34 CBAE BE39 A46C 4CA1

At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key A46C4CA1 was created by the real Matt Hogstrom.

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.

Validating Authenticity of a Key

You may download public keys for the Apache Geronimo developers from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache Geronimo Project.

The crucial step to validation is to confirm the key fingerprint of the public key.

% gpg --fingerprint A46C4CA1
pub 1024D/A46C4CA1 2006-01-05
Key fingerprint = 9056 B710 F1E3 3278 0DE7 AF34 CBAE BE39 A46C 4CA1
uid Matt Hogstrom <hogstrom@apache.org>
sub 2048g/2FD8C3E0 2006-01-05

A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Most of the Apache Geronimo developers have attempted to sign each others' keys (usually with face-to-face validation). Therefore, in order to enter the web of trust, you should only need to validate one person in our web of trust. (Hint: all of our developers' keys are in the KEYS file.)

Since the developers are usually quite busy, you may not immediately find success in someone who is willing to meet face-to-face (they may not even respond to your emails because they are so busy!). If you do not have a developer nearby or have trouble locating a suitable person, please send an email to the address of the key you are attempting to verify. They may be able to find someone who will be willing to validate their key or arrange alternate mechanisms for validation.

Once you have entered the web of trust, you should see the following upon verifying the signature of a release.

% gpg geronimo-tomcat-j2ee-1.1.tar.gz.asc
gpg: Signature made Mon Jun 26 15:25:36 2006 AUEST using DSA key ID A46C4CA1
gpg: Good signature from "Matt Hogstrom <hogstrom@apache.org>"