andersk opened a new issue, #41678:
URL: https://github.com/apache/arrow/issues/41678

   ### Describe the bug, including details regarding any error messages, 
version, and platform.
   
   The [PGP 
signature](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb.asc)
 on the newly uploaded version of 
[apache-arrow-apt-source-latest-bullseye.deb](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb)
 (and possibly others) fails verification, because it’s signed by a key that’s 
not in 
[apache-arrow-keyring.gpg](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-keyring.gpg).
   
   I would appreciate if this can be fixed by resigning the .deb with a key 
that’s already in the keyring, rather than adding new keys to the keyring, 
because we need to cut a new release of the [Zulip 
server](https://github.com/zulip/zulip) every time we need to change its 
[included copy of the 
keyring](https://github.com/zulip/zulip/blob/8.x/scripts/setup/apt-repos/zulip/apache-arrow-keyring.gpg).
 (Downloading a new copies of the keyring every time it changes defeats the 
whole point of verifying PGP signatures, because an attacker who can tamper 
with the binary can also tamper with the keyring.)
   
   ```console
   $ wget 
https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb
   $ wget 
https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb.asc
   $ wget 
https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-keyring.gpg
   $ gpgv --keyring=./apache-arrow-keyring.gpg 
apache-arrow-apt-source-latest-bullseye.deb.asc 
apache-arrow-apt-source-latest-bullseye.deb
   gpgv: Signature made Thu 09 May 2024 03:56:53 AM PDT
   gpgv:                using RSA key AF6AADA4C9835B75973FF5DA275C532289DD0F4A
   gpgv: Can't check signature: No public key
   $ gpg --no-default-keyring --keyring=./apache-arrow-keyring.gpg --list-keys 
   ./apache-arrow-keyring.gpg
   --------------------------
   pub   rsa2048 2013-04-10 [SCEA] [expired: 2017-04-10]
         35CF82A165DDBBA29B307B7497D7E8647AE7E47B
   uid           [ expired] Julien Le Dem <[email protected]>
   
   pub   rsa4096 2016-09-19 [SC] [expired: 2020-09-19]
         87C072B8B6405B5780D66A3D02DABFDF1679D194
   uid           [ expired] Julien Le Dem <[email protected]>
   
   pub   rsa4096 2016-11-06 [SC]
         F2A765669021A3D3094C200B29D94E228CAAD602
   uid           [ unknown] Uwe L. Korn <[email protected]>
   sub   rsa4096 2016-11-06 [E]
   
   pub   rsa4096 2017-05-01 [SC]
         6D09E881160096717426C638F105883A1735623D
   uid           [ unknown] William Wesley McKinney (CODE SIGNING KEY) 
<[email protected]>
   sub   rsa4096 2017-05-01 [E]
   
   pub   rsa4096 2010-08-30 [SC]
         08D3564B7C6A9CAFBFF6A66791D18FCF079F8007
   uid           [ unknown] Kouhei Sutou <[email protected]>
   uid           [ unknown] Kouhei Sutou <[email protected]>
   sub   rsa4096 2010-08-30 [E]
   
   pub   rsa4096 2018-06-13 [SC]
         E6E4AA55F38337A6EFC7A5549F453D0CC3E4F6BA
   uid           [ unknown] Charles Phillip Cloud <[email protected]>
   sub   rsa4096 2018-06-13 [E]
   
   pub   rsa4096 2014-09-04 [SCEA]
         2CC23EF090A28BAC5DDC885F769BDC2129C2658C
   uid           [ unknown] keybase.io/pitrou <[email protected]>
   
   pub   rsa4096 2019-01-10 [SC]
         265F80AB84FE03127E14F01125BCCA5220D84079
   uid           [ unknown] Krisztian Szucs (apache) <[email protected]>
   sub   rsa4096 2019-01-10 [E]
   
   pub   rsa4096 2019-09-24 [SC] [expired: 2020-09-23]
         E47C810A90FE21FF448DA938755E743692EA1D85
   uid           [ expired] Micah Kornfield (Apache Arrow Code Signing Key) 
<[email protected]>
   ```
   
   ### Component(s)
   
   Packaging


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to