[
https://issues.apache.org/jira/browse/AVRO-2604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16958831#comment-16958831
]
Eric Peterson commented on AVRO-2604:
-------------------------------------
It seems like the Apache projects follow a pattern of posting their KEYS file
using this pattern:
* https://archive.apache.org/dist/<project>/KEYS
For example:
* Kafka: [https://archive.apache.org/dist/kafka/KEYS]
* Groovy: [https://archive.apache.org/dist/groovy/KEYS]
[~fokko] are you suggested that the equivalent link for Avro be removed /
disabled? I think it may be a better idea to just make both URLs point to the
same physical file on the backend, and keep with the Apache projects pattern.
> Artifacts were signed with a key not in KEYS
> --------------------------------------------
>
> Key: AVRO-2604
> URL: https://issues.apache.org/jira/browse/AVRO-2604
> Project: Apache Avro
> Issue Type: Bug
> Components: release
> Affects Versions: 1.9.1
> Reporter: Eric Peterson
> Priority: Major
>
> Downloads need to be checked against the KEYS obtained from the Avro project.
> Importing the current KEYS file gives:
> {noformat}
> $ gpg --import KEYS
> gpg: key 0xDBAF69BEA7239D59: public key "Doug Cutting (Lucene guy)
> <[email protected]>" imported
> gpg: key 0xB5E0D06745472392: public key "Jeff Hammerbacher (CODE SIGNING KEY)
> <[email protected]>" imported
> gpg: key 0x4FB955854318F669: 3 signatures not checked due to missing keys
> gpg: key 0x4FB955854318F669: public key "Tom White (CODE SIGNING KEY)
> <[email protected]>" imported
> gpg: key 0x99CCC523E1BE8DBE: public key "Tom White (APACHE CODE SIGNING KEY)
> <[email protected]>" imported
> gpg: key 0xFCB3CBD9D3924CCD: public key "Ryan Blue (CODE SIGNING KEY)
> <[email protected]>" imported
> gpg: key 0x807934FCCCC7C3A8: public key "Suraj Acharya <[email protected]>"
> imported
> gpg: Total number processed: 6
> gpg: imported: 6
> gpg: no ultimately trusted keys found
> {noformat}
> But the 1.9.1 release artifacts were not signed with any of the PGP keys in
> that file, for example:
> {noformat}
> $ for asc in *.asc; do
> gpg --verify $asc
> echo
> done
> gpg: assuming signed data in 'Avro-1.9.1.tar.gz'
> gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> gpg: assuming signed data in 'avro-cpp-1.9.1.tar.gz'
> gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> gpg: assuming signed data in 'avro-doc-1.9.1.tar.gz'
> gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> gpg: assuming signed data in 'avro-js-1.9.1.tgz'
> gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> gpg: assuming signed data in 'avro-python3-1.9.1.tar.gz'
> gpg: Signature made Wed Aug 28 05:38:13 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> gpg: assuming signed data in 'avro-src-1.9.1.tar.gz'
> gpg: Signature made Wed Aug 28 05:38:23 2019 EDT
> gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483
> gpg: Can't check signature: No public key
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
