All official releases of code distributed by the Apache HTTP Server Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Apache Software Foundation rather than our mirrors. This is to help ensure the integrity of the signature files. However, you are encouraged to download the releases from our mirrors. (Our download page points you at the mirrors for the release and the official site for the signatures, so this happens automatically for you.)
The following example details how signature interaction works. In this
example, you are already assumed to have downloaded
(the release) and
httpd-2.4.18.tar.gz.asc (the detached signature).
First, we will check the detached signature (
against our release (
% gpg --verify httpd-2.4.18.tar.gz.asc httpd-2.4.18.tar.gz gpg: Signature made Tue Dec 8 21:32:07 2015 CET using RSA key ID 791485A8 gpg: Can't check signature: public key not found
We don't have the release manager's public key (
791485A8 ) in our local
system. You now need to retrieve the public key from a key server. One
popular server is
pgpkeys.mit.edu (which has a web
interface ). The public key servers are linked
together, so you should be able to connect to any key server.
% gpg --keyserver pgpkeys.mit.edu --recv-key 791485A8 gpg: requesting key 791485A8 from HKP keyserver pgpkeys.mit.edu gpg: trustdb created gpg: key 791485A8: public key "Jim Jagielski <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1
In this example, you have now received a public key for an entity known as 'Jim Jagielski <email@example.com>' However, you have no way of verifying this key was created by the person known as Jim Jagielski. But, let's try to verify the release signature again.
% gpg --verify httpd-2.4.18.tar.gz.asc httpd-2.4.18.tar.gz gpg: Signature made Tue Dec 8 21:32:07 2015 CET using RSA key ID 791485A8 gpg: Good signature from "Jim Jagielski <firstname.lastname@example.org>" gpg: aka "Jim Jagielski <email@example.com>" gpg: aka "Jim Jagielski <jim@jaguNET.com>" gpg: aka "Jim Jagielski <firstname.lastname@example.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8
At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key 791485A8 was created by the real Jim Jagielski.
Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.
You may download public keys for the Apache HTTP Server developers from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache HTTP Server Project.
The crucial step to validation is to confirm the key fingerprint of the public key.
% gpg --fingerprint 791485A8 pub 4096R/791485A8 2010-11-04 2002-04-10 Key fingerprint = A93D 62EC C3C8 EA12 DB22 0EC9 34EA 76E6 7914 85A8 uid Jim Jagielski (Release Signing Key) <email@example.com> uid Jim Jagielski <firstname.lastname@example.org> uid Jim Jagielski <jim@jaguNET.com> uid Jim Jagielski <email@example.com> sub 4096R/9B6D9BF7 2010-11-04
A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.
Most of the Apache HTTP Server developers have attempted to sign each others' keys (usually with face-to-face validation). Therefore, in order to enter the web of trust, you should only need to validate one person in our web of trust. (Hint: all of our developers' keys are in the KEYS file.)
For example, the following people have signed the public key for Jim Jagielski. If you verify any key on this list, you will have a trust path to the 791485A8 key. If you verify a key that verifies one of the signatories for 791485A8, then you will have a trust path. (So on, and so on.)
% gpg --list-sigs pub 4096R/791485A8 2010-11-04 uid Jim Jagielski (Release Signing Key) <firstname.lastname@example.org> sig 88C3A5A5 2010-11-07 Philippe M. Chiasson (Home) <email@example.com> sig 4E24517C 2011-11-10 Hyrum K. Wright (Personal) <firstname.lastname@example.org> sig C4FC9A65 2011-11-10 Bernd Bohmann <email@example.com> sig 1F27E622 2015-04-16 Konstantin I Boudnik (Cos) <firstname.lastname@example.org> sig 08C975E5 2010-11-04 Jim Jagielski <email@example.com> sig 2 F2EFD0F0 2011-11-14 Christopher David Schultz (Christopher David Schultz) <firstname.lastname@example.org> sig 3 311A3DE5 2010-11-10 Ruediger Pluem <email@example.com> sig 64A6A0BA 2013-02-27 Steven J. Hathaway (Apache PGP) <firstname.lastname@example.org> sig 00A1234F 2015-04-15 Andre Arcilla <email@example.com> sig 9A59B973 2015-04-21 Stefan Sperling <firstname.lastname@example.org> sig F51BB88A 2010-11-04 Sander Temme <email@example.com> ...more signatures redacted...
Since the developers are usually quite busy, you may not immediately find success in someone who is willing to meet face-to-face (they may not even respond to your emails because they are so busy!). If you do not have a developer nearby or have trouble locating a suitable person, please send an email to the address of the key you are attempting to verify. They may be able to find someone who will be willing to validate their key or arrange alternate mechanisms for validation.
Once you have entered the web of trust, you should see the following upon verifying the signature of a release.
% gpg --verify httpd-2.4.18.tar.gz.asc httpd-2.4.18.tar.gz gpg: Signature made Tue Dec 8 21:32:07 2015 CET using RSA key ID 791485A8 gpg: Good signature from "Jim Jagielski (Release Signing Key) <firstname.lastname@example.org>" gpg: aka "Jim Jagielski <email@example.com>" gpg: aka "Jim Jagielski <jim@jaguNET.com>" gpg: aka "Jim Jagielski <firstname.lastname@example.org>"