how in the heck is it possible to verify the signature of a distribution for apache Tomcat or ant? i've been using GnuPG and it doesn't seem to do the trick, despite warnings all over the apache site to verify files first.
如何能够验证apache Tomcat或ant的分发签名?我一直在使用GnuPG并且似乎没有做到这一点,尽管apache网站上的警告首先要验证文件。
using windows...if that helps.
使用Windows ...如果有帮助。
STEPS:
1) download binary version .exe / .zip / .asc / KEYS file
2) gpg --import KEYS
3) gpg --verify *.asc file
4) the best i can get is a msg. stating
"This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner." ...and a primary key fingerprint.
步骤:1)下载二进制版本.exe / .zip / .asc / KEYS文件2)gpg --import KEYS 3)gpg --verify * .asc文件4)我能得到的最好的是一个消息。声明“此密钥未通过可信签名认证!没有迹象表明签名属于所有者。” ......和主键指纹。
I assume that is NOT a valid verification.
我认为这不是有效的验证。
1 个解决方案
#1
No, it is valid. It just means you haven't marked the key as trusted. It is difficult (but not impossible) to do safely so.
不,它是有效的。它只是意味着您没有将密钥标记为受信任。安全这样做很困难(但并非不可能)。
Basically, you need to meet the signer themselves and personally verify the fingerprint or (possibly recursively) trust someone else's verification of such.
基本上,您需要自己与签名者见面并亲自验证指纹或(可能是递归地)信任别人对此类的验证。
#1
No, it is valid. It just means you haven't marked the key as trusted. It is difficult (but not impossible) to do safely so.
不,它是有效的。它只是意味着您没有将密钥标记为受信任。安全这样做很困难(但并非不可能)。
Basically, you need to meet the signer themselves and personally verify the fingerprint or (possibly recursively) trust someone else's verification of such.
基本上,您需要自己与签名者见面并亲自验证指纹或(可能是递归地)信任别人对此类的验证。