I could not verify the checksums or PGP signatures after downloading the following packages (using the mirror recommended to me by the script):
http://www.mirrorservice.org/sites/ftp.apache.org/geronimo/1.0/geronimo-jetty-j2ee-1.0.tar.gz http://www.mirror.ac.uk/mirror/ftp.apache.org/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz e.g. for geronimo-tomcat-j2ee-1.0.tar.gz the SHA1 checksum at: http://www.apache.org/dist/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz.sha is: 7a75e6f076d919f8175980fe7d38421ee87c9910 however the generated SHA1 checksum (sha1sum --version giving "shasum (coreutils) 5.2.1") is: 903bbd480f432a82c35de38159c1a89221fd587c the PGP signature from: http://www.apache.org/dist/geronimo/1.0/geronimo-tomcat-j2ee-1.0.tar.gz.asc is: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBDva7e+4xOrf6bkrsRAkN4AJ91KzHQBkr3w2NqB+IpYPAq84m/zgCfYMFs TLlG1Jdm0VYXt4QNLpNpFgc= =m+BA -----END PGP SIGNATURE----- verifying: $ gpg --verify geronimo-tomcat-j2ee-1.0.tar.gz.asc gpg: Signature made Thu 05 Jan 2006 23:42:22 GMT using DSA key ID FE9B92BB gpg: Can't check signature: public key not found the key ID FE9B92BB is not present in the keys file at: http://cvs.apache.org/dist/geronimo/KEYS and I could not find it on either of two keyservers I checked, so I am unable to verify the signature. I have downloaded the packages from several different mirrors and checked them on two different client machines, with the same result. -- Alex D. Baxter <mailto:[EMAIL PROTECTED]> CTSU x3855 - external (+44) 01865 743855
