You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2020/02/04 18:48:00 UTC
[jira] [Resolved] (SPARK-30728) Bad signature for Spark 2.4.4
[ https://issues.apache.org/jira/browse/SPARK-30728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun resolved SPARK-30728.
-----------------------------------
Resolution: Invalid
Hi, [~khalidnajm]. JIRA is not for Q&A. You had better ask questions to dev mailing list.
{code}
# gpg --verify spark-2.4.4-bin-hadoop2.7.tgz.asc
gpg: assuming signed data in 'spark-2.4.4-bin-hadoop2.7.tgz'
gpg: Signature made Tue Aug 27 21:30:32 2019 UTC
gpg: using RSA key EDA00CE834F0FC5C
gpg: Good signature from "Dongjoon Hyun (CODE SIGNING KEY) <do...@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F28C 9C92 5C18 8C35 E345 614D EDA0 0CE8 34F0 FC5C
{code}
> Bad signature for Spark 2.4.4
> -----------------------------
>
> Key: SPARK-30728
> URL: https://issues.apache.org/jira/browse/SPARK-30728
> Project: Spark
> Issue Type: Bug
> Components: Windows
> Affects Versions: 2.4.4
> Environment: Windows 10 Pro 1809
> OS Build: 17763.973
> gpg (GnuPG) 2.2.19 libgcrypt 1.8.5
> Reporter: Khalid Najm
> Priority: Minor
>
> I downloaded the signatures files from the Apache Spark download page:
> * spark-2.4.4-bin-hadoop2.7.tgz.asc
> * spark-2.4.4-bin-hadoop2.7.tgz.sha512
> * KEYS
> I ran the following commands:
> gpg --import KEYS
> gpg --verify spark-2.4.4-bin-hadoop2.7.tgz.asc spark-2.4.4-bin-hadoop2.7.tgz.sha512
> For the KEYS command, I got:
> {\{gpg: key 7B165D2A15E06093: "Andrew Or <an...@gmail.com>" not changed gpg: key 6B32946082667DC1: "Xiangrui Meng (CODE SIGNING KEY) <me...@apache.org>" not changed gpg: key B1A91F0000799F7E: "Patrick Wendell <pw...@gmail.com>" not changed gpg: key 7C6C105FFC8ED089: "Patrick Wendell <pw...@gmail.com>" not changed gpg: key 5D951CFF87FD1A97: "Tathagata Das (CODE SIGNING KEY) <td...@apache.org>" not changed gpg: key 548F5FEE9E4FE3AF: "Patrick Wendell <pw...@gmail.com>" not changed gpg: key A70A1B29E90ADC5D: 1 signature not checked due to a missing key gpg: key A70A1B29E90ADC5D: "Holden Karau (CODE SIGNING KEY) <ho...@apache.org>" not changed gpg: key B6C8B66085040118: "Felix Cheung (CODE SIGNING KEY) <fe...@apache.org>" not changed gpg: key DCE4BFD807461E96: "Sameer Agarwal (CODE SIGNING KEY) <sa...@apache.org>" not changed gpg: key FD8FFD4C3A0D5564: 3 signatures not checked due to missing keys gpg: key FD8FFD4C3A0D5564: "Marcelo M. Vanzin <va...@apache.org>" not changed gpg: key DE4FBCCD81E6C76A: "Thomas Graves (CODE SIGNING KEY) <tg...@apache.org>" not changed gpg: key DB0B21A012973FD0: "Saisai Shao (CODE SIGNING KEY) <js...@apache.org>" not changed gpg: key 6BAC72894F4FDC8A: "Wenchen Fan (CODE SIGNING KEY) <we...@apache.org>" not changed gpg: key EDA00CE834F0FC5C: "Dongjoon Hyun (CODE SIGNING KEY) <do...@apache.org>" not changed gpg: key 6EC5F1052DF08FF4: "Takeshi Yamamuro (CODE SIGNING KEY) <ya...@apache.org>" not changed gpg: key 42E5B25A8F7A82C1: "DB Tsai <db...@dbtsai.com>" not changed gpg: key 96F72F76830C0D1B: "Xiao Li (CODE SIGNING KEY) <li...@apache.org>" not changed gpg: key E49A046C7F0FEF75: "Kazuaki Ishizaki (CODE SIGNING KEY) <ki...@apache.org>" not changed gpg: key E1B7E0F25E4BF56B: "Xingbo Jiang (CODE SIGNING KEY) <ji...@apache.org>" not changed gpg: key 6E1B4122F6A3A338: "Yuming Wang <yu...@apache.org>" not changed gpg: Total number processed: 20 gpg: unchanged: 20}}
> For the verification, I got:
> {{gpg: Signature made 08/27/19 22:30:32 GMT Daylight Time gpg: using RSA key EDA00CE834F0FC5C gpg: BAD signature from "Dongjoon Hyun (CODE SIGNING KEY) <do...@apache.org>" [unknown]}}
> I have two questions:
> * why did this happen? I downloaded and installed Spark from one mirror and then the other, and still got the error. Also, the three files are the same in either case, so how does it tell which signature works?
> * I assume that when you get a bad signature error, that you should reinstall from another mirror. Is this true?
> * What is the signature verification doing?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org