You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Eric Peterson (Jira)" <ji...@apache.org> on 2019/10/23 21:51:00 UTC
[jira] [Created] (AVRO-2604) Artifacts were signed with a key not
in KEYS
Eric Peterson created AVRO-2604:
-----------------------------------
Summary: Artifacts were signed with a key not in KEYS
Key: AVRO-2604
URL: https://issues.apache.org/jira/browse/AVRO-2604
Project: Apache Avro
Issue Type: Bug
Components: release
Affects Versions: 1.9.1
Reporter: Eric Peterson
Downloads need to be checked against the KEYS obtained from the Avro project.
Importing the current KEYS file gives:
{noformat}
$ gpg --import KEYS
gpg: key 0xDBAF69BEA7239D59: public key "Doug Cutting (Lucene guy) <cu...@apache.org>" imported
gpg: key 0xB5E0D06745472392: public key "Jeff Hammerbacher (CODE SIGNING KEY) <ha...@apache.org>" imported
gpg: key 0x4FB955854318F669: 3 signatures not checked due to missing keys
gpg: key 0x4FB955854318F669: public key "Tom White (CODE SIGNING KEY) <to...@apache.org>" imported
gpg: key 0x99CCC523E1BE8DBE: public key "Tom White (APACHE CODE SIGNING KEY) <to...@apache.org>" imported
gpg: key 0xFCB3CBD9D3924CCD: public key "Ryan Blue (CODE SIGNING KEY) <bl...@apache.org>" imported
gpg: key 0x807934FCCCC7C3A8: public key "Suraj Acharya <su...@gmail.com>" imported
gpg: Total number processed: 6
gpg: imported: 6
gpg: no ultimately trusted keys found
{noformat}
But the 1.9.1 release artifacts were not signed with any of the PGP keys in that file, for example:
{noformat}
$ for asc in *.asc; do
gpg --verify $asc
echo
done
gpg: assuming signed data in 'Avro-1.9.1.tar.gz'
gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
gpg: assuming signed data in 'avro-cpp-1.9.1.tar.gz'
gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
gpg: assuming signed data in 'avro-doc-1.9.1.tar.gz'
gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
gpg: assuming signed data in 'avro-js-1.9.1.tgz'
gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
gpg: assuming signed data in 'avro-python3-1.9.1.tar.gz'
gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
gpg: assuming signed data in 'avro-src-1.9.1.tar.gz'
gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
gpg: Can't check signature: No public key
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)