On Mon, Mar 3, 2025 at 6:05 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> Dimitris, > > On 3/3/25 9:57 AM, Dimitris Soumis wrote: > > On Sat, Mar 1, 2025 at 8:29 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> The proposed Apache Tomcat 10.1.37 release is now available for > >> voting. > >> > >> All committers and PMC members are kindly requested to provide a vote if > >> possible. ANY TOMCAT USER MAY VOTE, though only PMC members votes are > >> binding. We welcome non-committer votes or comments on release builds. > >> > >> The notable changes compared to 10.1.36 are: > >> > >> - Improve the checks for exposure to and protection against > >> CVE-2024-56337 so that reflection is not used unless required. The > >> checks for whether the file system is case sensitive or not have > been > >> removed. > >> > >> - Use Transfer-Encoding for compression rather than Content-Encoding if > >> the client submits a TE header containing gzip > >> > >> - Add makensis as an option for building the Installer for Windows on > >> non-Windows platforms. > >> > >> For full details, see the change log: > >> https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > >> > >> Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > >> without changes. Java EE applications designed for Tomcat 9 and earlier > >> may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > >> will automatically convert them to Jakarta EE and copy them to the > >> webapps directory. > >> > >> It can be obtained from: > >> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.37/ > >> > >> The Maven staging repo is: > >> https://repository.apache.org/content/repositories/orgapachetomcat-1535 > >> > >> The tag is: > >> https://github.com/apache/tomcat/tree/10.1.37 > >> > >> > https://github.com/apache/tomcat/commit/e4338ee7a3e0f22d85f7cb2e04dacee752eaa619 > >> > >> Please reply with a +1 for release or +0/-0/-1 with an explanation. > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > >> > > +1 Build is reproducible and all tests pass on Fedora 41 with Java 21, > > tcnative-2.0.8, apr-1.7.4, openssl-3.2.4. > > > > However, the RSA key (3262A061C42FC4C7BBB5C25C1CF0293FA53CA458) used to > > sign the release is still not present in the KEYS file. > > This is what I get during validation of e.g. the .exe artifact: > > $ gpg --verify --keyring ./apache-keys --no-default-keyring > apache-tomcat-10.1.37.exe.asc apache-tomcat-10.1.37.exe > gpg: Signature made Sat Mar 1 01:00:52 2025 EST > gpg: using RSA key 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458 > gpg: Good signature from "Christopher Schultz > <ch...@christopherschultz.net>" [ultimate] > gpg: aka "Christopher Schultz <cschu...@chadis.com>" > [ultimate] > gpg: aka "Christopher Schultz <schu...@apache.org>" > [ultimate] > gpg: aka "Christopher Schultz > <christopher.schu...@alumni.rose-hulman.edu>" [ultimate] > $ echo $? > 0 > > The apache-keys file is a proper GPG keyring imported using this command: > > $ gpg --import --no-default-keyring --primary-keyring ./apache-keys < KEYS > > The key I use to sign is a subkey of my main key. I believe I've been > using the same key to sign releases for a good long time. > > But I do see that my signature on the Windows .exe binary is not quite > right. It fails using osssigncodeusing my usual method :/ > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > Hi Chris, I wasn't aware of the subkey concept and I falsely thought (judging by the rest of the releases) that the key signing the release would be the primary one and should be mentioned explicitly in the KEYS file. Thanks for the detailed clarification. Kind regards, Dimitris
