2016-04-19 23:00 GMT+03:00 Martijn Bos <mart...@maboc.nl>: > Hi all, > > (I post in this list since I downloaded from tomcat.apache.org. If there is a > more appropriate list, off course I will try overthere) > > 1 - Downloaded the taglibs from > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5
The "verify" word on above page links to a detailed instruction, https://www.apache.org/info/verification.html > 2 - Downloaded the PGP signatures for the files > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the files) > 3 - Imported the keys into gpg: > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes <jboy...@apache.org>" > geïmporteerd > gpg: Totaal aantal verwerkt: 1 > gpg: geïmporteerd: 1 (RSA: 1) > martijn@radijs:~/external_documents/Downloads$ > > 4 - checked the signature of the downloaded files: > martijn@radijs:~/external_documents/Downloads$ gpg > taglibs-standard-impl-1.2.5.jar.asc The above verification command is wrong. You must specify 2 file arguments to gpg --verify. See the verification.html page that I mentioned above. > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld > ondertekend te zijn > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA sleutel-ID > A7A0233C > gpg: Goede handtekening van "Jeremy Boynes <jboy...@apache.org>" > gpg: Noot: Deze sleutel is vervallen! > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A > D08E A7A0 233C > > It's in dutch :-) Executing the below command before the above one should switch it to English. LANG=C Maybe it also needs export LANG, I do not remember. > The message is telling me that the file is signed by key A7A0233C > (I never did sign this key myself..there is no trust..so gpg also tells me > that) > Then gpg tells me "This key is expired"!!! > > I'm not sure what to think of this...Is this a problem, or am I just to > paranoid? > > Can anyone shine his/her light on this. $ gpg --list-keys A7A0233C pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25] uid Jeremy Boynes <jboy...@apache.org> 1. Binaries released and signed before February 2016 are OK. 2. Jeremy needs to do something with his key before signing a next release (if there ever be one). As said elsewhere, it is possible to change expiration date of a key without a need to generate a new one, http://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg http://superuser.com/questions/813421/can-you-extend-the-expiration-date-of-an-already-expired-gpg-key https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org