You either need to
1. import KEYS<https://downloads.apache.org/jmeter/KEYS> 2. or switch to SHA-512<https://www.apache.org/info/verification.html>, it doesn't require a lot of extra software: root@4502ac2a2fa4:/# wget -q https://www.apache.org/dist/jmeter/binaries/apache-jmeter-5.6.3.tgz.sha512 root@4502ac2a2fa4:/# wget -q https://www.apache.org/dist/jmeter/binaries/apache-jmeter-5.6.3.tgz root@4502ac2a2fa4:/# cat apache-jmeter-5.6.3.tgz.sha512 5978a1a35edb5a7d428e270564ff49d2b1b257a65e17a759d259a9283fc17093e522fe46f474a043864aea6910683486340706d745fcdf3db1505fd71e689083 *apache-jmeter-5.6.3.tgz root@4502ac2a2fa4:/# sha512sum apache-jmeter-5.6.3.tgz 5978a1a35edb5a7d428e270564ff49d2b1b257a65e17a759d259a9283fc17093e522fe46f474a043864aea6910683486340706d745fcdf3db1505fd71e689083 apache-jmeter-5.6.3.tgz And last but not the least you can use i.e. JMeter Maven Plugin<https://www.blazemeter.com/blog/how-use-jmeter-maven-plugin> or Taurus<https://gettaurus.org/> tool which download JMeter and check its signature so you can use it in CI/CD pipelines and don't worry about JMeter installation and checking the archives manually. How to Use the JMeter Maven Plugin | Blazemeter by Perforce<https://www.blazemeter.com/blog/how-use-jmeter-maven-plugin> Back to top What Is the Maven JMeter Plugin? The JMeter Plugin for Maven allows you to run tests from within the Maven project — instead of running performance tests as scripts in JMeter.. This blog post will go over how to run your JMeter test from Maven, and how to view the results.. Back to top www.blazemeter.com ________________________________ From: Joeri Delvoy <joeri.del...@qity.be> Sent: Wednesday, April 9, 2025 12:27 PM To: user@jmeter.apache.org <user@jmeter.apache.org> Subject: Verification of integrity Hello, On the header of the downloadpage on https://jmeter.apache.org/download_jmeter.cgi they advise me to verify the integrity. I have no web of trust yet, so I tried to figure out who already signed the public key of the tgz file of the binary on the download page. The public key C4923F9ABFB2F1A06F08E88BAC214CAA0612B399 Is a self signed key, And if I do a lookup of the KEYS file on the download page (https://www.apache.org/dist/jmeter/KEYS), There is only 1 self signed key inside, from that same person. All other public keys from developers mentioned in that KEYS file do not seem to be valid public keys if you input them with "gpg —list-sig" Am I misinterpreting the file or the commands? Also, When verifying both fingerprint and email address on the server (https://keys.openpgp.org) They do not return anything Example output of the public key of the signature of the binary tgz file of meter: gpg --list-sig 0612B399 pub rsa4096 2010-08-14 [SC] C4923F9ABFB2F1A06F08E88BAC214CAA0612B399 uid [ unknown] Milamber (ASF) milam...@apache.org<mailto:milam...@apache.org> sig 3 AC214CAA0612B399 2010-09-26 [self-signature] uid [ unknown] Milamber (Milamberspace) milambersp...@gmail.com<mailto:milambersp...@gmail.com> sig 3 AC214CAA0612B399 2010-09-26 [self-signature] sub rsa4096 2010-08-14 [E] sig AC214CAA0612B399 2010-08-14 [self-signature] Example output of any of the other public keys mentioned in the KEYS file : gpg --list-sig 4FAD5F62 gpg: error reading key: No public key
