andersk opened a new issue, #41678: URL: https://github.com/apache/arrow/issues/41678
### Describe the bug, including details regarding any error messages, version, and platform. The [PGP signature](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb.asc) on the newly uploaded version of [apache-arrow-apt-source-latest-bullseye.deb](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb) (and possibly others) fails verification, because it’s signed by a key that’s not in [apache-arrow-keyring.gpg](https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-keyring.gpg). I would appreciate if this can be fixed by resigning the .deb with a key that’s already in the keyring, rather than adding new keys to the keyring, because we need to cut a new release of the [Zulip server](https://github.com/zulip/zulip) every time we need to change its [included copy of the keyring](https://github.com/zulip/zulip/blob/8.x/scripts/setup/apt-repos/zulip/apache-arrow-keyring.gpg). (Downloading a new copies of the keyring every time it changes defeats the whole point of verifying PGP signatures, because an attacker who can tamper with the binary can also tamper with the keyring.) ```console $ wget https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb $ wget https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-apt-source-latest-bullseye.deb.asc $ wget https://apache.jfrog.io/artifactory/arrow/debian/apache-arrow-keyring.gpg $ gpgv --keyring=./apache-arrow-keyring.gpg apache-arrow-apt-source-latest-bullseye.deb.asc apache-arrow-apt-source-latest-bullseye.deb gpgv: Signature made Thu 09 May 2024 03:56:53 AM PDT gpgv: using RSA key AF6AADA4C9835B75973FF5DA275C532289DD0F4A gpgv: Can't check signature: No public key $ gpg --no-default-keyring --keyring=./apache-arrow-keyring.gpg --list-keys ./apache-arrow-keyring.gpg -------------------------- pub rsa2048 2013-04-10 [SCEA] [expired: 2017-04-10] 35CF82A165DDBBA29B307B7497D7E8647AE7E47B uid [ expired] Julien Le Dem <[email protected]> pub rsa4096 2016-09-19 [SC] [expired: 2020-09-19] 87C072B8B6405B5780D66A3D02DABFDF1679D194 uid [ expired] Julien Le Dem <[email protected]> pub rsa4096 2016-11-06 [SC] F2A765669021A3D3094C200B29D94E228CAAD602 uid [ unknown] Uwe L. Korn <[email protected]> sub rsa4096 2016-11-06 [E] pub rsa4096 2017-05-01 [SC] 6D09E881160096717426C638F105883A1735623D uid [ unknown] William Wesley McKinney (CODE SIGNING KEY) <[email protected]> sub rsa4096 2017-05-01 [E] pub rsa4096 2010-08-30 [SC] 08D3564B7C6A9CAFBFF6A66791D18FCF079F8007 uid [ unknown] Kouhei Sutou <[email protected]> uid [ unknown] Kouhei Sutou <[email protected]> sub rsa4096 2010-08-30 [E] pub rsa4096 2018-06-13 [SC] E6E4AA55F38337A6EFC7A5549F453D0CC3E4F6BA uid [ unknown] Charles Phillip Cloud <[email protected]> sub rsa4096 2018-06-13 [E] pub rsa4096 2014-09-04 [SCEA] 2CC23EF090A28BAC5DDC885F769BDC2129C2658C uid [ unknown] keybase.io/pitrou <[email protected]> pub rsa4096 2019-01-10 [SC] 265F80AB84FE03127E14F01125BCCA5220D84079 uid [ unknown] Krisztian Szucs (apache) <[email protected]> sub rsa4096 2019-01-10 [E] pub rsa4096 2019-09-24 [SC] [expired: 2020-09-23] E47C810A90FE21FF448DA938755E743692EA1D85 uid [ expired] Micah Kornfield (Apache Arrow Code Signing Key) <[email protected]> ``` ### Component(s) Packaging -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
