On 3/11/19 2:41 PM, Michael Shuler wrote: > On 3/11/19 8:36 AM, staticp...@gmail.com wrote: >> Hello, >> >> It appears the keys listed here are outdated. >> https://www.apache.org/dist/cassandra/KEYS >> >> Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to >> use the keys from the link above however, the one of them is revoked. Others >> on this page are in the same state as well. Can someone from the dev group >> clean this up? It's a little unsettling when the official documentation - >> http://cassandra.apache.org/download/ gives instructions to download revoked >> keys. >> >> apt-key list >> >> -------------------- >> pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] >> 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA >> uid [ revoked] Michael Shuler <mich...@pbandjelly.org> >> >> pub rsa4096 2009-07-15 [SC] >> A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA >> uid [ unknown] Michael Shuler <mich...@pbandjelly.org> >> uid [ unknown] Michael Shuler <mshu...@gmail.com> >> sub rsa4096 2009-07-15 [E] > > > These are not the same keys. It looks like you possibly did a short-key > import (FE4B2BDA), as well as the long-key import, as the download > instructions indicate. Here's my valid key: > > mshuler@hana:~$ gpg --list-secret-key --fingerprint FE4B2BDA > gpg: please do a --check-trustdb > sec rsa4096 2009-07-15 [SC] > A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA > uid [ unknown] Michael Shuler <mich...@pbandjelly.org> > uid [ unknown] Michael Shuler <mshu...@gmail.com> > ssb rsa4096 2009-07-15 [E] > > In 2016, someone took a list of the strong key set and uploaded keys > with faked short-key identifiers matching those of existing keys. It's a > joe job to identify the weakness of using short key identifiers. There > are thousands of these fake keys, and they've been revoked. > > https://www.zdnet.com/article/pgp-security-weakness-exposed/ > > Drop that bogus key from apt-keys: > > apt-key del D46C5ECBFE4B2BDA > > This message is signed with the correct key.
I forgot to mention that the bogus key you imported from a public key server is *not* contained in https://www.apache.org/dist/cassandra/KEYS - feel free to verify that independently. -- Kind regards, Michael
signature.asc
Description: OpenPGP digital signature
