+ mentors Thanks for testing the release Matt. I ran into the same issue while testing it myself. So I double checked older releases 2.9.0 and 2.8.0 and I saw the same behavior.
gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc apache-impala-incubating-2.9.0.tar.gz gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID 9522D0F3 gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) < [email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421 EEA9 8F3F 86FA 9522 D0F3 gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc apache-impala-incubating-2.8.0.tar.gz gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID 6850196C gpg: Good signature from "Jim Apple (CODE SIGNING KEY) <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E 4601 91EE 4306 6850 196C I tried to dig into it and this looks like a pretty common problem [1]. But, I'm not totally sure about the standard practices to make a key trusted. Does anyone else in the community knows what are the best practices around this and how it works with other Apache projects? [1] https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <[email protected]> wrote: > Bharath, is your key set up correctly? > > Running the script on > https://cwiki.apache.org/confluence/display/IMPALA/How+ > to+Release#HowtoRelease-HowtoVoteonaReleaseCandidate > resulted in this warning indicating that your signature is not > trusted: > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > Maybe someone who has RM'd before can comment on this. > > > ... > gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY) > <[email protected]>" imported > gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY) > <[email protected]>" imported > gpg: key 64DAB27C: public key "Bharath Vissapragada > <[email protected]>" imported > gpg: Total number processed: 3 > gpg: imported: 3 (RSA: 3) > gpg: no ultimately trusted keys found > + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' for > '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then > '\''q'\'' for '\''quit'\''' > If in an interactive shell, At the prompt, enter '5' for 'I trust > ultimately', then 'y' for 'yes', then 'q' for 'quit' > + [[ ehuxB == *i* ]] > + echo 'Download the release artifacts:' > Download the release artifacts: > + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2. > 10.0/RC1/apache-impala-incubating-2.10.0.tar.gz > + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2. > 10.0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc > + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2. > 10.0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5 > + for SUFFIX in gz gz.asc gz.md5 gz.sha512 > + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2. > 10.0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512 > + echo 'Check the checksums:' > Check the checksums: > + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5 > apache-impala-incubating-2.10.0.tar.gz: OK > + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512 > apache-impala-incubating-2.10.0.tar.gz: OK > + echo 'Check the signature:' > Check the signature: > + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc > apache-impala-incubating-2.10.0.tar.gz > gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID > 64DAB27C > gpg: Good signature from "Bharath Vissapragada <[email protected]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada > <[email protected]> wrote: > > This is a vote to release Impala 2.10.0. > > > > - The artefacts for testing can be downloaded from < > > https://dist.apache.org/repos/dist/dev/incubator/impala/2.10.0/RC1/>. > > > > - The git tag for this release candidate is 2.10.0-rc1 and tree hash is > > visible at > > < > > https://git-wip-us.apache.org/repos/asf?p=incubator-impala. > git;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef > >> > > > > Please vote +1 or -1. -1 votes should be accompanied by an explanation of > > the reason. Only PPMC members and mentors have binding votes, but other > > community members are encouraged to cast non-binding votes. This vote > will > > pass if there are 3 binding +1 votes and more binding +1 votes than -1 > > votes. > > > > This wiki page describes how to check the release before you vote: > > *https://cwiki.apache.org/confluence/display/IMPALA/How+ > to+Release#HowtoRelease-HowtoVoteonaReleaseCandidate > > <https://cwiki.apache.org/confluence/display/IMPALA/How+ > to+Release#HowtoRelease-HowtoVoteonaReleaseCandidate>* > > > > The vote will be open until the end of Wednesday, August 30, Pacific time > > zone (UTC-08:00). > > Once the vote passes the Impala PPMC vote, it still must pass the > incubator > > PMC vote before a release is made. >
