[jira] [Resolved] (SPARK-30728) Bad signature for Spark 2.4.4

Tue, 04 Feb 2020 10:48:16 -0800 


     [ 
https://issues.apache.org/jira/browse/SPARK-30728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dongjoon Hyun resolved SPARK-30728.
-----------------------------------
    Resolution: Invalid

Hi, [~khalidnajm]. JIRA is not for Q&A. You had better ask questions to dev 
mailing list.

{code}
# gpg --verify spark-2.4.4-bin-hadoop2.7.tgz.asc
gpg: assuming signed data in 'spark-2.4.4-bin-hadoop2.7.tgz'
gpg: Signature made Tue Aug 27 21:30:32 2019 UTC
gpg:                using RSA key EDA00CE834F0FC5C
gpg: Good signature from "Dongjoon Hyun (CODE SIGNING KEY) 
<dongj...@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F28C 9C92 5C18 8C35 E345  614D EDA0 0CE8 34F0 FC5C
{code}

> Bad signature for Spark 2.4.4
> -----------------------------
>
>                 Key: SPARK-30728
>                 URL: https://issues.apache.org/jira/browse/SPARK-30728
>             Project: Spark
>          Issue Type: Bug
>          Components: Windows
>    Affects Versions: 2.4.4
>         Environment: Windows 10 Pro 1809
> OS Build: 17763.973
> gpg (GnuPG) 2.2.19 libgcrypt 1.8.5
>            Reporter: Khalid Najm
>            Priority: Minor
>
> I downloaded the signatures files from the Apache Spark download page:
>  * spark-2.4.4-bin-hadoop2.7.tgz.asc
>  * spark-2.4.4-bin-hadoop2.7.tgz.sha512
>  * KEYS
> I ran the following commands:
> gpg --import KEYS
> gpg --verify spark-2.4.4-bin-hadoop2.7.tgz.asc 
> spark-2.4.4-bin-hadoop2.7.tgz.sha512
> For the KEYS command, I got:
> {\{gpg: key 7B165D2A15E06093: "Andrew Or <andrewo...@gmail.com>" not changed 
> gpg: key 6B32946082667DC1: "Xiangrui Meng (CODE SIGNING KEY) 
> <m...@apache.org>" not changed gpg: key B1A91F0000799F7E: "Patrick Wendell 
> <pwend...@gmail.com>" not changed gpg: key 7C6C105FFC8ED089: "Patrick Wendell 
> <pwend...@gmail.com>" not changed gpg: key 5D951CFF87FD1A97: "Tathagata Das 
> (CODE SIGNING KEY) <t...@apache.org>" not changed gpg: key 548F5FEE9E4FE3AF: 
> "Patrick Wendell <pwend...@gmail.com>" not changed gpg: key A70A1B29E90ADC5D: 
> 1 signature not checked due to a missing key gpg: key A70A1B29E90ADC5D: 
> "Holden Karau (CODE SIGNING KEY) <hol...@apache.org>" not changed gpg: key 
> B6C8B66085040118: "Felix Cheung (CODE SIGNING KEY) <felixche...@apache.org>" 
> not changed gpg: key DCE4BFD807461E96: "Sameer Agarwal (CODE SIGNING KEY) 
> <samee...@apache.org>" not changed gpg: key FD8FFD4C3A0D5564: 3 signatures 
> not checked due to missing keys gpg: key FD8FFD4C3A0D5564: "Marcelo M. Vanzin 
> <van...@apache.org>" not changed gpg: key DE4FBCCD81E6C76A: "Thomas Graves 
> (CODE SIGNING KEY) <tgra...@apache.org>" not changed gpg: key 
> DB0B21A012973FD0: "Saisai Shao (CODE SIGNING KEY) <js...@apache.org>" not 
> changed gpg: key 6BAC72894F4FDC8A: "Wenchen Fan (CODE SIGNING KEY) 
> <wenc...@apache.org>" not changed gpg: key EDA00CE834F0FC5C: "Dongjoon Hyun 
> (CODE SIGNING KEY) <dongj...@apache.org>" not changed gpg: key 
> 6EC5F1052DF08FF4: "Takeshi Yamamuro (CODE SIGNING KEY) <yamam...@apache.org>" 
> not changed gpg: key 42E5B25A8F7A82C1: "DB Tsai <dbt...@dbtsai.com>" not 
> changed gpg: key 96F72F76830C0D1B: "Xiao Li (CODE SIGNING KEY) 
> <lix...@apache.org>" not changed gpg: key E49A046C7F0FEF75: "Kazuaki Ishizaki 
> (CODE SIGNING KEY) <ki...@apache.org>" not changed gpg: key E1B7E0F25E4BF56B: 
> "Xingbo Jiang (CODE SIGNING KEY) <jiangxb1...@apache.org>" not changed gpg: 
> key 6E1B4122F6A3A338: "Yuming Wang <yumw...@apache.org>" not changed gpg: 
> Total number processed: 20 gpg: unchanged: 20}}
> For the verification, I got:
> {{gpg: Signature made 08/27/19 22:30:32 GMT Daylight Time gpg: using RSA key 
> EDA00CE834F0FC5C gpg: BAD signature from "Dongjoon Hyun (CODE SIGNING KEY) 
> <dongj...@apache.org>" [unknown]}}
>  I have two questions:
>  * why did this happen? I downloaded and installed Spark from one mirror and 
> then the other, and still got the error. Also, the three files are the same 
> in either case, so how does it tell which signature works?
>  * I assume that when you get a bad signature error, that you should 
> reinstall from another mirror. Is this true?
>  * What is the signature verification doing?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to