how within the heck can you really verify the signature of the distribution for apache Tomcat or ant? i have used GnuPG also it does not appear to have the desired effect, despite alerts all around the apache site to ensure files first.

using home the event that helps.

1) download binary version .exe / .zip / .asc / Secrets file
2) gpg --import Secrets
3) gpg --verify *.asc file
4) the very best i'm able to get is really a monosodium glutamate. stating
"This secret is not licensed having a reliable signature!
There's no indication the signature goes towards the owner." ...along with a primary key fingerprint.

I suppose that's Not really a valid verification.

No, it's valid. It simply means you have not marked the important thing as reliable. It is not easy (although not impossible) to complete securely so.

Essentially, you have to satisfy the signer themselves and personally verify the fingerprint or (possibly recursively) trust another person's verification of these.