Hello, On the header of the downloadpage on https://jmeter.apache.org/download_jmeter.cgi they advise me to verify the integrity. I have no web of trust yet, so I tried to figure out who already signed the public key of the tgz file of the binary on the download page.
The public key C4923F9ABFB2F1A06F08E88BAC214CAA0612B399 Is a self signed key, And if I do a lookup of the KEYS file on the download page (https://www.apache.org/dist/jmeter/KEYS), There is only 1 self signed key inside, from that same person. All other public keys from developers mentioned in that KEYS file do not seem to be valid public keys if you input them with "gpg —list-sig" Am I misinterpreting the file or the commands? Also, When verifying both fingerprint and email address on the server (https://keys.openpgp.org) They do not return anything Example output of the public key of the signature of the binary tgz file of meter: gpg --list-sig 0612B399 pub rsa4096 2010-08-14 [SC] C4923F9ABFB2F1A06F08E88BAC214CAA0612B399 uid [ unknown] Milamber (ASF) milam...@apache.org<mailto:milam...@apache.org> sig 3 AC214CAA0612B399 2010-09-26 [self-signature] uid [ unknown] Milamber (Milamberspace) milambersp...@gmail.com<mailto:milambersp...@gmail.com> sig 3 AC214CAA0612B399 2010-09-26 [self-signature] sub rsa4096 2010-08-14 [E] sig AC214CAA0612B399 2010-08-14 [self-signature] Example output of any of the other public keys mentioned in the KEYS file : gpg --list-sig 4FAD5F62 gpg: error reading key: No public key
