Re: KEYS file?

2016-07-12 Thread Steve Loughran 

On 11 Jul 2016, at 04:48, Shuai Lin 
> wrote:

at least links to the keys used to sign releases on the
download page

+1 for that.


really all release keys for ASF projects should be signed by others in the 
project and the broader ASF community; its really time for the next apachecons 
& similar to do key auth sessions. Oh, and you should be verifying full 
signatures; generating collisions in short signatures is now computationally 
feasible.

I've authenticated patrick's key  EEDA BD1C 71C5 48D6 F006  61D3 7C6C 105F FC8E 
D089 and pushed that fact up to the MIT keyservers; I'm willing to do the same 
for others over skype/F2F.

And at some point someone needs to enhance ivy/maven to check GPG signatures of 
artifacts on the public repos. Checksum validation is meaningless unless you 
are getting the checksums from a trusted HTTPS server *and* the versions of the 
HTTP client you have gets its HTTPS signature logic right (something the asf 
commons http libs haven't always done).

Re: KEYS file?

2016-07-11 Thread Sean Owen 
Yeah the canonical place for a project's KEYS file for ASF projects is

http://www.apache.org/dist/{project}/KEYS

and so you can indeed find this key among:

http://www.apache.org/dist/spark/KEYS

I'll put a link to this info on the downloads page because it is important info.

On Mon, Jul 11, 2016 at 4:48 AM, Shuai Lin  wrote:
>> at least links to the keys used to sign releases on the
>> download page
>
>
> +1 for that.
>
> On Mon, Jul 11, 2016 at 3:35 AM, Phil Steitz  wrote:
>>
>> On 7/10/16 10:57 AM, Shuai Lin wrote:
>> > Not sure where you see " 0x7C6C105FFC8ED089". I
>>
>> That's the key ID for the key below.
>> > think the release is signed with the
>> > key https://people.apache.org/keys/committer/pwendell.asc .
>>
>> Thanks!  That key matches.  The project should publish a KEYS file
>> [1] or at least links to the keys used to sign releases on the
>> download page.  Could be there is one somewhere and I just can't
>> find it.
>>
>> Phil
>>
>> [1] http://www.apache.org/dev/release-signing.html#keys-policy
>> >
>> > I think this tutorial can be
>> > helpful: http://www.apache.org/info/verification.html
>> >
>> > On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz
>> > > wrote:
>> >
>> > I can't seem to find a link the the Spark KEYS file.  I am
>> > trying to
>> > validate the sigs on the 1.6.2 release artifacts and I need to
>> > import 0x7C6C105FFC8ED089.  Is there a KEYS file available for
>> > download somewhere?  Apologies if I am just missing an obvious
>> > link.
>> >
>> > Phil
>> >
>> >
>> >
>> > -
>> > To unsubscribe e-mail: user-unsubscr...@spark.apache.org
>> > 
>> >
>> >
>>
>>
>

-
To unsubscribe e-mail: user-unsubscr...@spark.apache.org

Re: KEYS file?

2016-07-10 Thread Shuai Lin 
>
> at least links to the keys used to sign releases on the
> download page


+1 for that.

On Mon, Jul 11, 2016 at 3:35 AM, Phil Steitz  wrote:

> On 7/10/16 10:57 AM, Shuai Lin wrote:
> > Not sure where you see " 0x7C6C105FFC8ED089". I
>
> That's the key ID for the key below.
> > think the release is signed with the
> > key https://people.apache.org/keys/committer/pwendell.asc .
>
> Thanks!  That key matches.  The project should publish a KEYS file
> [1] or at least links to the keys used to sign releases on the
> download page.  Could be there is one somewhere and I just can't
> find it.
>
> Phil
>
> [1] http://www.apache.org/dev/release-signing.html#keys-policy
> >
> > I think this tutorial can be
> > helpful: http://www.apache.org/info/verification.html
> >
> > On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz
> > > wrote:
> >
> > I can't seem to find a link the the Spark KEYS file.  I am
> > trying to
> > validate the sigs on the 1.6.2 release artifacts and I need to
> > import 0x7C6C105FFC8ED089.  Is there a KEYS file available for
> > download somewhere?  Apologies if I am just missing an obvious
> > link.
> >
> > Phil
> >
> >
> > -
> > To unsubscribe e-mail: user-unsubscr...@spark.apache.org
> > 
> >
> >
>
>
>

Re: KEYS file?

2016-07-10 Thread Phil Steitz 
On 7/10/16 10:57 AM, Shuai Lin wrote:
> Not sure where you see " 0x7C6C105FFC8ED089". I

That's the key ID for the key below.
> think the release is signed with the
> key https://people.apache.org/keys/committer/pwendell.asc .

Thanks!  That key matches.  The project should publish a KEYS file
[1] or at least links to the keys used to sign releases on the
download page.  Could be there is one somewhere and I just can't
find it.

Phil

[1] http://www.apache.org/dev/release-signing.html#keys-policy
>
> I think this tutorial can be
> helpful: http://www.apache.org/info/verification.html
>
> On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz
> > wrote:
>
> I can't seem to find a link the the Spark KEYS file.  I am
> trying to
> validate the sigs on the 1.6.2 release artifacts and I need to
> import 0x7C6C105FFC8ED089.  Is there a KEYS file available for
> download somewhere?  Apologies if I am just missing an obvious
> link.
>
> Phil
>
>
> -
> To unsubscribe e-mail: user-unsubscr...@spark.apache.org
> 
>
>



-
To unsubscribe e-mail: user-unsubscr...@spark.apache.org

Re: KEYS file?

2016-07-10 Thread Shuai Lin 
Not sure where you see " 0x7C6C105FFC8ED089". I think the release is signed
with the key https://people.apache.org/keys/committer/pwendell.asc .

I think this tutorial can be helpful:
http://www.apache.org/info/verification.html

On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz  wrote:

> I can't seem to find a link the the Spark KEYS file.  I am trying to
> validate the sigs on the 1.6.2 release artifacts and I need to
> import 0x7C6C105FFC8ED089.  Is there a KEYS file available for
> download somewhere?  Apologies if I am just missing an obvious link.
>
> Phil
>
>
> -
> To unsubscribe e-mail: user-unsubscr...@spark.apache.org
>
>