[jira] [Closed] (FLINK-16424) Can't verify PGP signatures of Flink 1.9.2 and 1.10.0

Wed, 04 Mar 2020 07:05:22 -0800 


     [ 
https://issues.apache.org/jira/browse/FLINK-16424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bob closed FLINK-16424.
-----------------------
    Resolution: Resolved

Thanks for the hint. My keys file was for whatever reason outdated (maybe a 
local proxy cache issue).

> Can't verify PGP signatures of Flink 1.9.2 and 1.10.0
> -----------------------------------------------------
>
>                 Key: FLINK-16424
>                 URL: https://issues.apache.org/jira/browse/FLINK-16424
>             Project: Flink
>          Issue Type: Improvement
>            Reporter: Bob
>            Priority: Minor
>
> I tried to follow the steps on the download page 
> [https://flink.apache.org/downloads.html] and 
> [http://www.apache.org/info/verification.html] but i am unable to verify the 
> Flink packages with the help of the PGP signatures of Flink 1.9.2 and 1.10.0.
> Steps to reproduce:
>  # Download Flink via a mirror 
> [https://www.apache.org/dyn/closer.lua/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz]
>  # Download PGP signature file 
> [https://www.apache.org/dist/flink/flink-1.10.0/flink-1.10.0-bin-scala_2.12.tgz.asc]
>  # Download release-signing keys file [https://www.apache.org/dist/flink/KEYS]
> {code:java}
> # gpg --import KEYS 
> gpg: key 04D9B832: "Alan Gates (No comment) <[email protected]>" not changed
> gpg: key 0CBAAE9F: "Sean Owen (CODE SIGNING KEY) <[email protected]>" not 
> changed
> gpg: key 0410DA0C: "Ted Dunning (for signing Apache releases) 
> <[email protected]>" not changed
> gpg: key 3592721E: "Henry Saputra (CODE SIGNING KEY) <[email protected]>" 
> not changed
> gpg: key 3D0C92B9: "Owen O'Malley (Code signing) <[email protected]>" not 
> changed
> gpg: key D9839159: "Robert Metzger (CODE SIGNING KEY) <[email protected]>" 
> not changed
> gpg: key 9D403309: "Ufuk Celebi (CODE SIGNING KEY) <[email protected]>" not 
> changed
> gpg: key D675A2E9: "Márton Balassi (CODE SIGNING KEY) <[email protected]>" 
> not changed
> gpg: key C2909CBF: "Maximilian Michels <[email protected]>" not changed
> gpg: key 34911D5A: "Fabian Hueske (CODE SIGNING KEY) <[email protected]>" 
> not changed
> gpg: key B065B356: "Tzu-Li Tai (CODE SIGNING KEY) <[email protected]>" not 
> changed
> gpg: key 121D7293: "Aljoscha Krettek (CODE SIGNING KEY) 
> <[email protected]>" not changed
> gpg: key 11D464BA: "Chesnay Schepler (CODE SIGNING KEY) <[email protected]>" 
> not changed
> gpg: key 35C33D6A: "Tzu-Li Tai (CODE SIGNING KEY) <[email protected]>" not 
> changed
> gpg: key A96CFFD5: "Till Rohrmann (stsffap) <[email protected]>" not 
> changed
> gpg: key D920A98C: "Thomas Weise <[email protected]>" not changed
> gpg: key 3B79EA0E: "jincheng Sun (jincheng) <[email protected]>" not changed
> gpg: key F7059BA4: "Kurt Young <[email protected]>" not changed
> gpg: key EFAE3202: "Jark Wu (CODE SIGNING KEY) <[email protected]>" not changed
> gpg: Total number processed: 19
> gpg:              unchanged: 19
> {code}
> {code:java}
> # gpg --verify flink-1.10.0-bin-scala_2.12.tgz.asc 
> flink-1.10.0-bin-scala_2.12.tgz
> gpg: Signature made Fri 07 Feb 2020 07:36:24 PM CET using RSA key ID 89C115E8
> gpg: Can't check signature: No public key
> {code}
> {code:java}
> # gpg --keyserver pgpkeys.mit.edu --recv-key 89C115E8
> gpg: requesting key 89C115E8 from hkp server pgpkeys.mit.edu
> gpgkeys: key 89C115E8 not found on keyserver
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
> {code}
> {code:java}
> # gpg --verify flink-1.9.2-bin-scala_2.12.tgz.asc 
> flink-1.9.2-bin-scala_2.12.tgz
> gpg: Signature made Fri 24 Jan 2020 06:08:33 AM CET using RSA key ID 57B6476C
> gpg: Can't check signature: No public key
> {code}
> {code:java}
> # gpg --keyserver pgpkeys.mit.edu --recv-key 57B6476C
> gpg: requesting key 57B6476C from hkp server pgpkeys.mit.edu
> gpgkeys: key 57B6476C not found on keyserver
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
> {code}
> Could someone check if a key is missing in the release-signing keys file? Or 
> something else is wrong? e.g. for Flink 1.9.1 these steps seem to be fine.
> {code:java}
> gpg --verify flink-1.9.1-bin-scala_2.12.tgz.asc flink-1.9.1-bin-scala_2.12.tgz
> gpg: Signature made Mon 30 Sep 2019 08:57:32 AM CEST using RSA key ID EFAE3202
> gpg: Good signature from "Jark Wu (CODE SIGNING KEY) <[email protected]>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: E2C4 5417 BED5 C104 154F  3410 85BA CB5A EFAE 3202
>  {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to