-1 (binding) Looks like your key from the KEYS file has expired? Per Apache FAQs <https://infra.apache.org/release-signing#verifying-signature>, "A signature is valid, if gpg verifies the .asc as a good signature, and doesn't complain about expired or revoked keys."
gpg --verify hbase-2.3.0-src.tar.gz.asc hbase-2.3.0-src.tar.gz > gpg: Signature made Mon 15 Jun 2020 08:41:19 PM PDT > gpg: using RSA key 6EF6CEC74B89B9293B4D9CD0AD9039071C3489BD > gpg: issuer "ndimi...@apache.org" > gpg: Good signature from "Nick Dimiduk <ndimi...@apache.org>" [expired] > gpg: aka "Nick Dimiduk <ndimi...@gmail.com>" [expired] > gpg: Note: This key has expired! > Primary key fingerprint: 3A74 917C 0C45 844F B816 BB4A CA36 33F1 8644 EEB6 > Subkey fingerprint: 6EF6 CEC7 4B89 B929 3B4D 9CD0 AD90 3907 1C34 89BD On Tue, Jun 16, 2020 at 9:36 AM Nick Dimiduk <ndimi...@apache.org> wrote: > Please vote on this Apache hbase release candidate, > hbase-2.3.0RC0 > > The VOTE will remain open for at least 72 hours. > > [ ] +1 Release this package as Apache hbase 2.3.0 > [ ] -1 Do not release this package because ... > > The tag to be voted on is 2.3.0RC0: > > https://github.com/apache/hbase/tree/2.3.0RC0 > > The release files, including signatures, digests, as well as CHANGES.md > and RELEASENOTES.md included in this RC can be found at: > > https://dist.apache.org/repos/dist/dev/hbase/2.3.0RC0/ > > Maven artifacts are available in a staging repository at: > > https://repository.apache.org/content/repositories/orgapachehbase-1393/ > > Artifacts were signed with the ndimi...@apache.org key which can be found > in: > > https://dist.apache.org/repos/dist/release/hbase/KEYS > > To learn more about Apache hbase, please see > > http://hbase.apache.org/ > > Thanks, > Your HBase Release Manager >
