Re: Cassandra repo keys are revoked
On 3/11/19 2:41 PM, Michael Shuler wrote: > On 3/11/19 8:36 AM, staticp...@gmail.com wrote: >> Hello, >> >> It appears the keys listed here are outdated. >> https://www.apache.org/dist/cassandra/KEYS >> >> Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to >> use the keys from the link above however, the one of them is revoked. Others >> on this page are in the same state as well. Can someone from the dev group >> clean this up? It's a little unsettling when the official documentation - >> http://cassandra.apache.org/download/ gives instructions to download revoked >> keys. >> >> apt-key list >> >> >> pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] >> 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA >> uid [ revoked] Michael Shuler >> >> pub rsa4096 2009-07-15 [SC] >> A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA >> uid [ unknown] Michael Shuler >> uid [ unknown] Michael Shuler >> sub rsa4096 2009-07-15 [E] > > > These are not the same keys. It looks like you possibly did a short-key > import (FE4B2BDA), as well as the long-key import, as the download > instructions indicate. Here's my valid key: > > mshuler@hana:~$ gpg --list-secret-key --fingerprint FE4B2BDA > gpg: please do a --check-trustdb > sec rsa4096 2009-07-15 [SC] > A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA > uid [ unknown] Michael Shuler > uid [ unknown] Michael Shuler > ssb rsa4096 2009-07-15 [E] > > In 2016, someone took a list of the strong key set and uploaded keys > with faked short-key identifiers matching those of existing keys. It's a > joe job to identify the weakness of using short key identifiers. There > are thousands of these fake keys, and they've been revoked. > > https://www.zdnet.com/article/pgp-security-weakness-exposed/ > > Drop that bogus key from apt-keys: > > apt-key del D46C5ECBFE4B2BDA > > This message is signed with the correct key. I forgot to mention that the bogus key you imported from a public key server is *not* contained in https://www.apache.org/dist/cassandra/KEYS - feel free to verify that independently. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Re: Cassandra repo keys are revoked
On 3/11/19 8:36 AM, staticp...@gmail.com wrote: > Hello, > > It appears the keys listed here are outdated. > https://www.apache.org/dist/cassandra/KEYS > > Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to > use the keys from the link above however, the one of them is revoked. Others > on this page are in the same state as well. Can someone from the dev group > clean this up? It's a little unsettling when the official documentation - > http://cassandra.apache.org/download/ gives instructions to download revoked > keys. > > apt-key list > > > pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] > 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA > uid [ revoked] Michael Shuler > > pub rsa4096 2009-07-15 [SC] > A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA > uid [ unknown] Michael Shuler > uid [ unknown] Michael Shuler > sub rsa4096 2009-07-15 [E] These are not the same keys. It looks like you possibly did a short-key import (FE4B2BDA), as well as the long-key import, as the download instructions indicate. Here's my valid key: mshuler@hana:~$ gpg --list-secret-key --fingerprint FE4B2BDA gpg: please do a --check-trustdb sec rsa4096 2009-07-15 [SC] A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA uid [ unknown] Michael Shuler uid [ unknown] Michael Shuler ssb rsa4096 2009-07-15 [E] In 2016, someone took a list of the strong key set and uploaded keys with faked short-key identifiers matching those of existing keys. It's a joe job to identify the weakness of using short key identifiers. There are thousands of these fake keys, and they've been revoked. https://www.zdnet.com/article/pgp-security-weakness-exposed/ Drop that bogus key from apt-keys: apt-key del D46C5ECBFE4B2BDA This message is signed with the correct key. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Cassandra repo keys are revoked
Hello, It appears the keys listed here are outdated. https://www.apache.org/dist/cassandra/KEYS Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to use the keys from the link above however, the one of them is revoked. Others on this page are in the same state as well. Can someone from the dev group clean this up? It's a little unsettling when the official documentation - http://cassandra.apache.org/download/ gives instructions to download revoked keys. apt-key list pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA uid [ revoked] Michael Shuler pub rsa4096 2009-07-15 [SC] A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA uid [ unknown] Michael Shuler uid [ unknown] Michael Shuler sub rsa4096 2009-07-15 [E] - To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org