Kuppitz, just thought I'd start a fresh thread for this gpg issue. Reading about how to validate the authenticity of a key a bit and it seems like a reasonable level of validation would be to verify the key against the list of apache committers:
https://people.apache.org/keys/committer/ I guess validate-distribution.sh does that in a sense by allowing through certain keys by hardcoding known ones directly into the shell script. Maybe just leave it like that and we just add new keys as needed? or is it easy to alter the validate-distribution.sh script to verify the key against that link above?