I attempted to verify the release with gpg and get:
[C:/kmarsden/projects/10.4.2.0] gpg --verify db-derby-10.4.2.0-bin.zip.asc
gpg: Signature made 08/26/08 06:59:54 using DSA key ID 98E21827
gpg: Good signature from "Rick Hillegas <[EMAIL PROTECTED]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 8F57 86E6 ED0B D91C 1BB8 36FD 3D8B 00E1 98E2 1827
I see in the KEYS file that it doesn't look like Rick's key has been
signed by anyone.
pub 1024D/98E21827 2006-02-04
uid Rick Hillegas <[EMAIL PROTECTED]>
sig 3 98E21827 2006-02-04 Rick Hillegas <[EMAIL PROTECTED]>
sub 2048g/EA8075A5 2006-02-04
sig 98E21827 2006-02-04 Rick Hillegas <[EMAIL PROTECTED]>
-----BEGIN PGP PUBLIC KEY BLOCK----
...