kou commented on PR #46933: URL: https://github.com/apache/arrow/pull/46933#issuecomment-3018205632
Hmm. My key was rejected: https://github.com/ursacomputing/crossbow/actions/runs/15961795295/job/45015405987#step:16:482 ```text Importing GPG key 0x079F8007: Userid : "" Fingerprint: 08D3 564B 7C6A 9CAF BFF6 A667 91D1 8FCF 079F 8007 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-Apache-Arrow error: Certificate 91D18FCF079F8007: Policy rejects 91D18FCF079F8007: No binding signature at time 2025-06-30T02:06:48Z ``` It seems that my subkey uses SHA-1: ```console $ gpg --armor --export '41DE1518CC0826F5!' | gpg --list-packets ... # off=21634 ctb=89 tag=2 hlen=3 plen=543 :signature packet: algo 1, keyid 91D18FCF079F8007 version 4, created 1283151270, md5len 0, sigclass 0x18 digest algo 2, begin of digest 79 7d hashed subpkt 2 len 4 (sig created 2010-08-30) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 91D18FCF079F8007) data: [4093 bits] ``` `digest algo 2` is the important part and `2` is SHA-1: https://www.rfc-editor.org/rfc/rfc9580.html#section-9.5 > ID Algorithm Text Name V6 Signature Salt Size > 2 SHA-1 [[FIPS180](https://www.rfc-editor.org/rfc/rfc9580.html#FIPS180)] "SHA1" N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
