Thanks Todd for the quick help. I read more about it and I found this link [1] interesting. So, looks like we need to grow our "web of trust" and one way I think is to trust the keys of RMs in the KEYS file, especially given they have write permission to the directory and could update that file. As per the link I mentioned, this doesn't look like a standard Apache practice, but I don't see any other way (please correct me if I'm wrong).
[1] https://mirror-vm.apache.org/~henkp/trust/ On Mon, Aug 28, 2017 at 11:14 AM, Todd Lipcon <[email protected]> wrote: > Hey Bharath, > > Take a look at https://www.apache.org/dev/release-signing.html#web-of- > trust -- it has some info on the GPG "web of trust". Basically, you need > to either directly trust Jim's key 6850196C, or you need to trust someone > who trusts him, etc. If you haven't yourself signed or trusted anyone's > keys, then no one's signature will be considered trusted for you. > > Typically projects also publish a KEYS file in their distribution > directory which would be able to verify that the signing key at least > matches the one that was uploaded via ASF infrastructure. > > -Todd > > On Mon, Aug 28, 2017 at 11:09 AM, Bharath Vissapragada < > [email protected]> wrote: > >> + mentors >> >> Thanks for testing the release Matt. I ran into the same issue while >> testing it myself. So I double checked older releases 2.9.0 and 2.8.0 and I >> saw the same behavior. >> >> gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc >> apache-impala-incubating-2.9.0.tar.gz >> gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID >> 9522D0F3 >> gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) < >> [email protected]>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421 EEA9 8F3F 86FA 9522 >> D0F3 >> >> gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc >> apache-impala-incubating-2.8.0.tar.gz >> gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID >> 6850196C >> gpg: Good signature from "Jim Apple (CODE SIGNING KEY) < >> [email protected]>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E 4601 91EE 4306 6850 >> 196C >> >> I tried to dig into it and this looks like a pretty common problem [1]. >> But, I'm not totally sure about the standard practices to make a key >> trusted. Does anyone else in the community knows what are the best >> practices around this and how it works with other Apache projects? >> >> [1] https://serverfault.com/questions/569911/how-to-verify- >> an-imported-gpg-key >> >> >> On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <[email protected]> wrote: >> >>> Bharath, is your key set up correctly? >>> >>> Running the script on >>> https://cwiki.apache.org/confluence/display/IMPALA/How+to+Re >>> lease#HowtoRelease-HowtoVoteonaReleaseCandidate >>> resulted in this warning indicating that your signature is not >>> trusted: >>> >>> gpg: WARNING: This key is not certified with a trusted signature! >>> gpg: There is no indication that the signature belongs to the >>> owner. >>> >>> Maybe someone who has RM'd before can comment on this. >>> >>> >>> ... >>> gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY) >>> <[email protected]>" imported >>> gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY) >>> <[email protected]>" imported >>> gpg: key 64DAB27C: public key "Bharath Vissapragada >>> <[email protected]>" imported >>> gpg: Total number processed: 3 >>> gpg: imported: 3 (RSA: 3) >>> gpg: no ultimately trusted keys found >>> + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' for >>> '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then >>> '\''q'\'' for '\''quit'\''' >>> If in an interactive shell, At the prompt, enter '5' for 'I trust >>> ultimately', then 'y' for 'yes', then 'q' for 'quit' >>> + [[ ehuxB == *i* ]] >>> + echo 'Download the release artifacts:' >>> Download the release artifacts: >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5 >>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512 >>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10 >>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512 >>> + echo 'Check the checksums:' >>> Check the checksums: >>> + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5 >>> apache-impala-incubating-2.10.0.tar.gz: OK >>> + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512 >>> apache-impala-incubating-2.10.0.tar.gz: OK >>> + echo 'Check the signature:' >>> Check the signature: >>> + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc >>> apache-impala-incubating-2.10.0.tar.gz >>> gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID >>> 64DAB27C >>> gpg: Good signature from "Bharath Vissapragada <[email protected]>" >>> gpg: WARNING: This key is not certified with a trusted signature! >>> gpg: There is no indication that the signature belongs to the >>> owner. >>> >>> On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada >>> <[email protected]> wrote: >>> > This is a vote to release Impala 2.10.0. >>> > >>> > - The artefacts for testing can be downloaded from < >>> > https://dist.apache.org/repos/dist/dev/incubator/impala/2.10.0/RC1/>. >>> > >>> > - The git tag for this release candidate is 2.10.0-rc1 and tree hash is >>> > visible at >>> > < >>> > https://git-wip-us.apache.org/repos/asf?p=incubator-impala.g >>> it;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef >>> >> >>> > >>> > Please vote +1 or -1. -1 votes should be accompanied by an explanation >>> of >>> > the reason. Only PPMC members and mentors have binding votes, but other >>> > community members are encouraged to cast non-binding votes. This vote >>> will >>> > pass if there are 3 binding +1 votes and more binding +1 votes than -1 >>> > votes. >>> > >>> > This wiki page describes how to check the release before you vote: >>> > *https://cwiki.apache.org/confluence/display/IMPALA/How+to+R >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate >>> > <https://cwiki.apache.org/confluence/display/IMPALA/How+to+R >>> elease#HowtoRelease-HowtoVoteonaReleaseCandidate>* >>> > >>> > The vote will be open until the end of Wednesday, August 30, Pacific >>> time >>> > zone (UTC-08:00). >>> > Once the vote passes the Impala PPMC vote, it still must pass the >>> incubator >>> > PMC vote before a release is made. >>> >> >> > > > -- > Todd Lipcon > Software Engineer, Cloudera >
