Hello all, Just ran into a small problem and struggled to find the solution. I even got Bill Rowe, Jr. involved, and on his suggestion I am emailing you all to explain it.
I recently had a need to get a web server running on my personal pc for testing. As I started to use Apache somewhere around 1995 and have served countless pages with it over the years, I naturally went to the site to grab a copy. I got the latest version of the Windows XP (don't boo me, but I haven't run Linux in a few years at home - sorry) binary. I also grabbed the ascii signature and the pgp key file from the main distribution site, as instructed. As I also haven't used pgp in years, I went out first and grabbed a copy of GnuPG and installed it. Now the Apache Download page states "The PGP signatures can be verified using PGP or GPG. First download the KEYS <http://www.apache.org/dist/httpd/KEYS> as well as the ascsignature file for the relevant distribution. Make sure you get these files from the main distribution directory<http://www.apache.org/dist/httpd/>, rather than from a mirror. Then verify the signatures using % gpg --import KEYS % gpg --verify apache_1.3.24.tar.gz.asc - httpd-2.2.4.tar.gz is signed by William Rowe 10FDE075 - httpd-2.0.59.tar.gz is signed by William Rowe 10FDE075 - httpd-1.3.37.tar.gz is signed by William Rowe 10FDE075" I followed the directions (except I was running the Windows version of GnuGP so followed in the gui way). But, everytime I tried to verify the signature I would be told, literally that the signature was "bad" though it showed the correct Key ID and User (William Rowe). So, I wrote to Bill and asked him, very politely, if he had seen anything like this. He wrote back and said he didn't know GnuPG and had used PGP and perhaps the problem was there. So, I went out and got a copy of PGP Desktop from their sight and redid the signature verification process. This time, I it declared the apache_2.2.4-win32-x86-no_ssl.msi.asc verification file had an "invalid key". I was lost, so I sent Bill a couple of screen shots and let him know again what I was seeing (he is so kind to help a guy out so readily). Well, while I was waiting to see if Bill had any suggestions, I poked around with things. I upped his trust level, but that didn't clear the problem (and isn't recommended without meeting and getting to know a person). Then, just for kicks, I signed my signature on his key in my key file. Surprise! That cleared the problem. Not intuitive to me, but understandable in hind sight. Well, I wrote another quick note to Bill and he replied with the following: "I notice it says bad key, not bad signature. Interesting. It's a web of trust, now that you trust me, you trust those who's keys I've signed. Since you trusted nobody, you had no trust link to me. The instructions probably deserve another look, perhaps ping the list [email protected] to explain your story and ask for some clarification be added to those instructions :) Bill" Which is why I am writing. Hope it helps. Russ Austin [EMAIL PROTECTED] -- "The fruits of the Holy Spirit are Love, Joy, Peace, Patience, Kindness, Goodness, Faithfulness, Gentleness and Self-Control. Against these there is no law." The Holy Spirit
