Uploaded image for project: 'Apache Avro'
  1. Apache Avro
  2. AVRO-2604

Artifacts were signed with a key not in KEYS

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.9.1
    • Fix Version/s: 1.9.1
    • Component/s: community, release
    • Labels:
      None

      Description

      Downloads need to be checked against the KEYS obtained from the Avro project.

      Importing the current KEYS file gives:

      $ gpg --import KEYS
      gpg: key 0xDBAF69BEA7239D59: public key "Doug Cutting (Lucene guy) <cutting@apache.org>" imported
      gpg: key 0xB5E0D06745472392: public key "Jeff Hammerbacher (CODE SIGNING KEY) <hammer@apache.org>" imported
      gpg: key 0x4FB955854318F669: 3 signatures not checked due to missing keys
      gpg: key 0x4FB955854318F669: public key "Tom White (CODE SIGNING KEY) <tomwhite@apache.org>" imported
      gpg: key 0x99CCC523E1BE8DBE: public key "Tom White (APACHE CODE SIGNING KEY) <tomwhite@apache.org>" imported
      gpg: key 0xFCB3CBD9D3924CCD: public key "Ryan Blue (CODE SIGNING KEY) <blue@apache.org>" imported
      gpg: key 0x807934FCCCC7C3A8: public key "Suraj Acharya <suraj.spa@gmail.com>" imported
      gpg: Total number processed: 6
      gpg:               imported: 6
      gpg: no ultimately trusted keys found
      

      But the 1.9.1 release artifacts were not signed with any of the PGP keys in that file, for example:

      $ for asc in *.asc; do
      gpg --verify $asc
      echo
      done
      
      gpg: assuming signed data in 'Avro-1.9.1.tar.gz'
      gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      
      gpg: assuming signed data in 'avro-cpp-1.9.1.tar.gz'
      gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      
      gpg: assuming signed data in 'avro-doc-1.9.1.tar.gz'
      gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      
      gpg: assuming signed data in 'avro-js-1.9.1.tgz'
      gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      
      gpg: assuming signed data in 'avro-python3-1.9.1.tar.gz'
      gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      
      gpg: assuming signed data in 'avro-src-1.9.1.tar.gz'
      gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
      gpg:                using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
      gpg: Can't check signature: No public key
      

        Attachments

          Activity

            People

            • Assignee:
              fokko Fokko Driesprong
              Reporter:
              epibkr Eric Peterson
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: