Per https://www.apache.org/dev/release-distribution#sigs-and-sums
correctly, the KEYS file is required, hence my comment.

Alan.

On Tue, Mar 13, 2018 at 10:34 AM, Henk P. Penning <penn...@uu.nl> wrote:

> On Tue, 13 Mar 2018, Alan Gates wrote:
>
> Date: Tue, 13 Mar 2018 18:04:08 +0100
>> From: Alan Gates <alanfga...@gmail.com>
>> To: general@incubator.apache.org
>> Subject: Re: [VOTE]: Apache HAWQ 2.3.0.0-incubating Release
>>
>> ‚ÄčI can't find a KEYS file anywhere in HAWQ to check the key
>> against.  There is also no name associated with the key, so I'm not
>> clear how to check the signature.
>>
>
>   Actually, you don't need a KEYS file to verify a .asc :
>
>   % gpg apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
>   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
>   gpg:                using RSA key CE60F90D1333092A
>   gpg: Can't check signature: No public key
>
>   No public key ; so, fetch it :
>
>   % gpg --keyserver pgp.surfnet.nl --recv-key CE60F90D1333092A
>   gpg: requesting key CE60F90D1333092A from hkp server pgp.surfnet.nl
>   gpg: key CE60F90D1333092A: public key "Yi Jin <y...@apache.org>"
> imported
>   gpg: Total number processed: 1
>   gpg:               imported: 1  (RSA: 1)
>
>   ... and --verify :
>
>   % gpg --verify apache-hawq-src-2.3.0.0-incubating.tar.gz.asc
>   gpg: Signature made Tue 27 Feb 2018 04:35:17 AM CET
>   gpg:                using RSA key CE60F90D1333092A
>   gpg: Good signature from "Yi Jin <y...@apache.org>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333
> 092A
>
>   % gpg --verify apache-hawq-rpm-2.3.0.0-incubating-rc2.tar.gz.asc
>   gpg: Signature made Tue 27 Feb 2018 04:38:53 AM CET
>   gpg:                using RSA key CE60F90D1333092A
>   gpg: Good signature from "Yi Jin <y...@apache.org>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the
> owner.
>   Primary key fingerprint: 41B0 0770 75DF DAFC F809  9A91 CE60 F90D 1333
> 092A
>
>   Note :
>   - Always use long (16-hex) key-id's, because short (8-hex)
>     key-id's often point (also) to fake keys.
>     In your $HOME/.gnupg/gpg.conf configure : keyid-format long
>   - To check that CE60F90D1333092A is authorised to sign the artifacts,
>     is another matter.
>
>   IMHO, KEYS files serve no purpose.
>
>   Regards,
>
>   Henk Penning
>
> ------------------------------------------------------------   _
> Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
> Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
> Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
> http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl     \_/
>
> On Mon, Mar 12, 2018 at 7:56 PM, Roman Shaposhnik <ro...@shaposhnik.org>
>> wrote:
>>
>> +1 (binding)
>>>
>>> * checked sigs and checksums
>>> * checked licenses
>>> * checked for archive matching git tag
>>>
>>> Thanks,
>>> Roman.
>>>
>>>
>>> On Mon, Mar 12, 2018 at 12:21 PM, Konstantin Boudnik <c...@apache.org>
>>> wrote:
>>>
>>>> +1 [biding]
>>>>
>>>> - signature check [ok]
>>>> - checksum check [ok]
>>>> - licenses check (RAT) [ok]
>>>>
>>>> I haven't tried to build it because of the complexity of the build
>>>> process and multiplicity of the environment configurations. To lower
>>>> the entry barrier, I would recommend the community to think how to
>>>> wrap these steps into the build system. You can go as far as to
>>>> provide an "official" toolchain for the project. In Bigtop, we even
>>>> provide official Docker containers were people can start working with
>>>> the project in under 2 minutes and without any need for additional
>>>> error prone configuration steps.
>>>> --
>>>>   With regards,
>>>> Konstantin (Cos) Boudnik
>>>> 2CAC 8312 4870 D885 8616  6115 220F 6980 1F27 E622
>>>>
>>>> Disclaimer: Opinions expressed in this email are those of the author,
>>>> and do not necessarily represent the views of any company the author
>>>> might be affiliated with at the moment of writing.
>>>>
>>>>
>>>> On Tue, Mar 6, 2018 at 6:56 PM, Yi JIN <y...@apache.org> wrote:
>>>>
>>>>> Hi IPMC members,
>>>>>
>>>>> The PPMC vote for the Apache HAWQ 2.3.0.0-incubating release has
>>>>> passed.
>>>>> So I request IPMC now to vote on this release candidate. Thank you!
>>>>>
>>>>> The release page is here:
>>>>> https://cwiki.apache.org/confluence/display/HAWQ/Apache+HAWQ+2.3.0.0-
>>>>>
>>>> incubating+Release
>>>
>>>>
>>>>> The PPMC vote thread is located here:
>>>>> https://lists.apache.org/thread.html/fa5b41cd7461bd729146e10d8f7a54
>>>>>
>>>> 156c818f93e5a1160c42e76c79@%3Cdev.hawq.apache.org%3E
>>>
>>>>
>>>>> The artifacts can be downloaded here:
>>>>> https://dist.apache.org/repos/dist/dev/incubator/hawq/2.3.0.
>>>>>
>>>> 0-incubating.RC2/
>>>
>>>> The artifacts have been signed with Key : CE60F90D1333092A
>>>>>
>>>>> All JIRAs completed for this release are tagged with 'FixVersion
>>>>> =2.3.0.0-incubating'
>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>>>>>
>>>> version=12340262&styleName=Html&projectId=12318826
>>>
>>>>
>>>>> Please vote accordingly:
>>>>> [ ] +1, accept as the official Apache HAWQ 2.3.0.0-incubating release
>>>>> [ ] -1, do not accept as the official Apache HAWQ 2.3.0.0-incubating
>>>>>
>>>> release
>>>
>>>> because...
>>>>>
>>>>> The vote will run for at least 72 hours.
>>>>>
>>>>> Best regards,
>>>>> Yi Jin (yjin)
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>>>> For additional commands, e-mail: general-h...@incubator.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
>>> For additional commands, e-mail: general-h...@incubator.apache.org
>>>
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

Reply via email to