You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Udo Rader <li...@bestsolution.at> on 2015/11/17 00:43:22 UTC
gpg verification: missing key 0EE3D884
Hi,
I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:
[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found
So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?
Regards
Udo
Re: gpg verification: missing key 0EE3D884
Posted by Rene Moser <ma...@renemoser.net>.
Hi
On 11/17/2015 12:43 AM, Udo Rader wrote:
> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
Please use the A graded HTTPs service for downloading software and
verifying keys, to reduce the risk of man in the middle attacks, be more
paranoid!
https://www.apache.org/dist/cloudstack/KEYS
Yours
René
Re: gpg verification: missing key 0EE3D884
Posted by John Kinsella <jl...@stratosec.co>.
No apologies. :)
> On Nov 17, 2015, at 11:33 AM, Udo Rader <li...@bestsolution.at> wrote:
>
> sorry for the noise & being probably paranoid here, but I've once had to
> deal with compromized source code (proftpd) and I promised myself to
> cross check as much as I can ...
>
> On 11/17/2015 06:35 PM, John Kinsella wrote:
>> Thanks.
>>
>> Rohit’s out sick, but I’ve reached out to coworkers to see when we can get that straightened out. I’m confident it’s not a security risk, but will update once we can confirm that.
>>
>> John
>>
>>> On Nov 17, 2015, at 9:12 AM, Udo Rader <li...@bestsolution.at> wrote:
>>>
>>> created a jira issue for this
>>> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
>>>
>>> On 11/17/2015 12:58 AM, John Kinsella wrote:
>>>> Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>>>>
>>>> On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
>>>> download using gpg, but gpg tells me that the used key is unknown:
>>>>
>>>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
>>>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
>>>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
>>>> 0EE3D884
>>>> gpg: Can't check signature: public key not found
>>>>
>>>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
>>>> am I missing something?
>>>>
>>>> Regards
>>>>
>>>> Udo
>>>>
>>
Re: gpg verification: missing key 0EE3D884
Posted by Udo Rader <li...@bestsolution.at>.
sorry for the noise & being probably paranoid here, but I've once had to
deal with compromized source code (proftpd) and I promised myself to
cross check as much as I can ...
On 11/17/2015 06:35 PM, John Kinsella wrote:
> Thanks.
>
> Rohit’s out sick, but I’ve reached out to coworkers to see when we can get that straightened out. I’m confident it’s not a security risk, but will update once we can confirm that.
>
> John
>
>> On Nov 17, 2015, at 9:12 AM, Udo Rader <li...@bestsolution.at> wrote:
>>
>> created a jira issue for this
>> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
>>
>> On 11/17/2015 12:58 AM, John Kinsella wrote:
>>> Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>>>
>>> On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
>>>
>>> Hi,
>>>
>>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
>>> download using gpg, but gpg tells me that the used key is unknown:
>>>
>>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
>>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
>>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
>>> 0EE3D884
>>> gpg: Can't check signature: public key not found
>>>
>>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
>>> am I missing something?
>>>
>>> Regards
>>>
>>> Udo
>>>
>
Re: gpg verification: missing key 0EE3D884
Posted by John Kinsella <jl...@stratosec.co>.
Thanks.
Rohit’s out sick, but I’ve reached out to coworkers to see when we can get that straightened out. I’m confident it’s not a security risk, but will update once we can confirm that.
John
> On Nov 17, 2015, at 9:12 AM, Udo Rader <li...@bestsolution.at> wrote:
>
> created a jira issue for this
> https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
>
> On 11/17/2015 12:58 AM, John Kinsella wrote:
>> Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>>
>> On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
>>
>> Hi,
>>
>> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
>> download using gpg, but gpg tells me that the used key is unknown:
>>
>> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
>> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
>> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
>> 0EE3D884
>> gpg: Can't check signature: public key not found
>>
>> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
>> am I missing something?
>>
>> Regards
>>
>> Udo
>>
Re: gpg verification: missing key 0EE3D884
Posted by Udo Rader <li...@bestsolution.at>.
created a jira issue for this
https://issues.apache.org/jira/browse/CLOUDSTACK-9070 ...
On 11/17/2015 12:58 AM, John Kinsella wrote:
> Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
>
> On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
>
> Hi,
>
> I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
> download using gpg, but gpg tells me that the used key is unknown:
>
> [udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
> gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
> gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
> 0EE3D884
> gpg: Can't check signature: public key not found
>
> So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
> am I missing something?
>
> Regards
>
> Udo
>
Re: gpg verification: missing key 0EE3D884
Posted by John Kinsella <jl...@stratosec.co>.
Just to confirm…
$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: Signature made Wed Aug 19 02:13:04 2015 PDT using RSA key ID 0EE3D884
gpg: Good signature from "Rohit Yadav (CODE SIGNING KEY) <bh...@apache.org>>”
Thanks!
On Nov 18, 2015, at 11:52 PM, Rohit Yadav <ro...@shapeblue.com>> wrote:
Hi John and Udo,
Thanks for bringing this to attention. I’m unsure how I missed this but updated the KEYS file now.
Regards.
On 17-Nov-2015, at 5:28 AM, John Kinsella <jl...@stratosec.co>> wrote:
Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
Hi,
I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:
[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found
So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?
Regards
Udo
Regards,
Rohit Yadav
Software Architect, ShapeBlue
<image003.png>
M. +91 88 262 30892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: gpg verification: missing key 0EE3D884
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi John and Udo,
Thanks for bringing this to attention. I’m unsure how I missed this but updated the KEYS file now.
Regards.
On 17-Nov-2015, at 5:28 AM, John Kinsella <jl...@stratosec.co>> wrote:
Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
Hi,
I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:
[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found
So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?
Regards
Udo
Regards,
Rohit Yadav
Software Architect, ShapeBlue
[cid:image003.png@01D104EF.CE276C40]
M. +91 88 262 30892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org> | Twitter: @_bhaisaab
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: gpg verification: missing key 0EE3D884
Posted by John Kinsella <jl...@stratosec.co>.
Rohit - looks like your key isn’t in https://dist.apache.org/repos/dist/release/cloudstack/KEYS ?
On Nov 16, 2015, at 3:43 PM, Udo Rader <li...@bestsolution.at>> wrote:
Hi,
I've downloaded the latest 4.5.2 tar.bz2 and tried to verify the
download using gpg, but gpg tells me that the used key is unknown:
[udo@artio Downloads]$ gpg --verify apache-cloudstack-4.5.2-src.tar.bz2.asc
gpg: assuming signed data in `apache-cloudstack-4.5.2-src.tar.bz2'
gpg: Signature made Wed 19 Aug 2015 11:13:04 AM CEST using RSA key ID
0EE3D884
gpg: Can't check signature: public key not found
So is the key missing from http://www.apache.org/dist/cloudstack/KEYS or
am I missing something?
Regards
Udo