Bug 57103 - Download page should provide details on how to verify the downloads
Summary: Download page should provide details on how to verify the downloads
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 8.0.x-trunk
Hardware: PC Mac OS X 10.4
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL: http://tomcat.apache.org/download-80.cgi
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-17 01:06 UTC by Sebb
Modified: 2016-01-05 15:44 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebb 2014-10-17 01:06:53 UTC 
The download page has a section on release integrity but does not detail how to perform the check.

The page should either include the information, or provide a link to a generic page with the info.

[The httpd download page has both]
Comment 1 Konstantin Kolinko 2014-10-17 10:16:03 UTC 
The HTTPD page does it wrong.

The following command is seriously broken:
% gpg --verify httpd-2.2.0.tar.gz.asc

It must be
% gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz

per
http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html
https://www.gnupg.org/gph/en/manual/x135.html

It makes little sense for each project to maintain a "how to verify PGP" page. There is an ASF-wide one,
http://www.apache.org/info/verification.html
Comment 2 Sebb 2014-10-17 17:55:25 UTC 
(In reply to Konstantin Kolinko from comment #1)
> The HTTPD page does it wrong.
> 
> The following command is seriously broken:
> % gpg --verify httpd-2.2.0.tar.gz.asc

It works for me - see below.
 
> It must be
> % gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz

That works too.
 
> per
> http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html

That page no longer exists.

> https://www.gnupg.org/gph/en/manual/x135.html

That page does mention both the sig and the input file.

However I have found that gpg verify works fine with just the .sig or .asc file.

GPG looks for a file with the .asc/.sig removed and uses that if it is found; if not it reports:

gpg: no signed data
gpg: can't hash datafile: No data

> It makes little sense for each project to maintain a "how to verify PGP"
> page. There is an ASF-wide one,
> http://www.apache.org/info/verification.html

Indeed.
The ASF one probably appeared after the httpd one.
Comment 3 Konstantin Kolinko 2014-10-17 18:01:59 UTC 
(In reply to Sebb from comment #2)
> (In reply to Konstantin Kolinko from comment #1)
> > per
> > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html
> 
> That page no longer exists.
> 

It is available from http://archive.org/web/
Comment 4 Sebb 2014-10-17 19:01:24 UTC 
(In reply to Konstantin Kolinko from comment #3)
> (In reply to Sebb from comment #2)
> > (In reply to Konstantin Kolinko from comment #1)
> > > per
> > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html
> > 
> > That page no longer exists.
> > 
> 
> It is available from http://archive.org/web/

OK, I see now. I agree it's badly broken.

The ASF page is also wrong; I'll fix it.
Comment 5 Mark Thomas 2014-10-21 20:43:23 UTC 
Fixed. Should be live for all download pages by the time you read this.
Comment 6 Sebb 2016-01-05 15:44:29 UTC 
(In reply to Konstantin Kolinko from comment #3)
> (In reply to Sebb from comment #2)
> > (In reply to Konstantin Kolinko from comment #1)
> > > per
> > > http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html
> > 
> > That page no longer exists.
> > 
> 
> It is available from http://archive.org/web/

FTR it's available from:

http://web.archive.org/web/20130417020216/http://blog.terryburton.co.uk/2006/11/falling-into-trap-with-gpg.html