You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "Bob (Jira)" <ji...@apache.org> on 2020/03/04 14:18:00 UTC
[jira] [Created] (FLINK-16424) Can't verify PGP signatures of Flink
1.9.2 and 1.10.0
Bob created FLINK-16424:
---------------------------
Summary: Can't verify PGP signatures of Flink 1.9.2 and 1.10.0
Key: FLINK-16424
URL: https://issues.apache.org/jira/browse/FLINK-16424
Project: Flink
Issue Type: Improvement
Reporter: Bob
I tried to follow the steps on the download page [https://flink.apache.org/downloads.html] and [http://www.apache.org/info/verification.html] but i am unable to verify the Flink packages with the help of the PGP signatures of Flink 1.9.2 and 1.10.0.
Steps to reproduce:
# Download Flink via a mirror [https://www.apache.org/dyn/closer.lua/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz]
# Download PGP signature file [https://www.apache.org/dist/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz.asc]
# Download release-signing keys file [https://www.apache.org/dist/flink/KEYS]
{code:java}
# gpg --import KEYS
gpg: key 04D9B832: "Alan Gates (No comment) <ga...@yahoo-inc.com>" not changed
gpg: key 0CBAAE9F: "Sean Owen (CODE SIGNING KEY) <sr...@apache.org>" not changed
gpg: key 0410DA0C: "Ted Dunning (for signing Apache releases) <te...@gmail.com>" not changed
gpg: key 3592721E: "Henry Saputra (CODE SIGNING KEY) <hs...@apache.org>" not changed
gpg: key 3D0C92B9: "Owen O'Malley (Code signing) <om...@apache.org>" not changed
gpg: key D9839159: "Robert Metzger (CODE SIGNING KEY) <rm...@apache.org>" not changed
gpg: key 9D403309: "Ufuk Celebi (CODE SIGNING KEY) <uc...@apache.org>" not changed
gpg: key D675A2E9: "Márton Balassi (CODE SIGNING KEY) <mb...@apache.org>" not changed
gpg: key C2909CBF: "Maximilian Michels <mx...@apache.org>" not changed
gpg: key 34911D5A: "Fabian Hueske (CODE SIGNING KEY) <fh...@apache.org>" not changed
gpg: key B065B356: "Tzu-Li Tai (CODE SIGNING KEY) <tz...@apache.org>" not changed
gpg: key 121D7293: "Aljoscha Krettek (CODE SIGNING KEY) <al...@apache.org>" not changed
gpg: key 11D464BA: "Chesnay Schepler (CODE SIGNING KEY) <ch...@apache.org>" not changed
gpg: key 35C33D6A: "Tzu-Li Tai (CODE SIGNING KEY) <tz...@apache.org>" not changed
gpg: key A96CFFD5: "Till Rohrmann (stsffap) <tr...@apache.org>" not changed
gpg: key D920A98C: "Thomas Weise <th...@apache.org>" not changed
gpg: key 3B79EA0E: "jincheng Sun (jincheng) <ji...@apache.org>" not changed
gpg: key F7059BA4: "Kurt Young <ku...@apache.org>" not changed
gpg: key EFAE3202: "Jark Wu (CODE SIGNING KEY) <ja...@apache.org>" not changed
gpg: Total number processed: 19
gpg: unchanged: 19
{code}
{code:java}
# gpg --verify flink-1.10.0-bin-scala_2.12.tgz.asc flink-1.10.0-bin-scala_2.12.tgz
gpg: Signature made Fri 07 Feb 2020 07:36:24 PM CET using RSA key ID 89C115E8
gpg: Can't check signature: No public key
{code}
{code:java}
# gpg --keyserver pgpkeys.mit.edu --recv-key 89C115E8
gpg: requesting key 89C115E8 from hkp server pgpkeys.mit.edu
gpgkeys: key 89C115E8 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
{code}
{code:java}
# gpg --verify flink-1.9.2-bin-scala_2.12.tgz.asc2 flink-1.9.2-bin-scala_2.12.tgz
gpg: Signature made Fri 24 Jan 2020 06:08:33 AM CET using RSA key ID 57B6476C
gpg: Can't check signature: No public key
{code}
{code:java}
# gpg --keyserver pgpkeys.mit.edu --recv-key 57B6476C
gpg: requesting key 57B6476C from hkp server pgpkeys.mit.edu
gpgkeys: key 57B6476C not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
{code}
Could someone check if a key is missing in the release-signing keys file? Or something else is wrong? e.g. for Flink 1.9.1 these steps seem to be fine.
{code:java}
gpg --verify flink-1.9.1-bin-scala_2.12.tgz.asc flink-1.9.1-bin-scala_2.12.tgz
gpg: Signature made Mon 30 Sep 2019 08:57:32 AM CEST using RSA key ID EFAE3202
gpg: Good signature from "Jark Wu (CODE SIGNING KEY) <ja...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E2C4 5417 BED5 C104 154F 3410 85BA CB5A EFAE 3202
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)