On 3/11/19 8:36 AM, staticp...@gmail.com wrote: > Hello, > > It appears the keys listed here are outdated. > https://www.apache.org/dist/cassandra/KEYS > > Trying to install Casandra 311x on Ubuntu 18.0.4. The recommendation is to > use the keys from the link above however, the one of them is revoked. Others > on this page are in the same state as well. Can someone from the dev group > clean this up? It's a little unsettling when the official documentation - > http://cassandra.apache.org/download/ gives instructions to download revoked > keys. > > apt-key list > > -------------------- > pub rsa4096 2014-06-16 [SCEA] [revoked: 2016-08-16] > 7B0A 593A 9795 A964 AD57 D255 D46C 5ECB FE4B 2BDA > uid [ revoked] Michael Shuler <mich...@pbandjelly.org> > > pub rsa4096 2009-07-15 [SC] > A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA > uid [ unknown] Michael Shuler <mich...@pbandjelly.org> > uid [ unknown] Michael Shuler <mshu...@gmail.com> > sub rsa4096 2009-07-15 [E]
These are not the same keys. It looks like you possibly did a short-key import (FE4B2BDA), as well as the long-key import, as the download instructions indicate. Here's my valid key: mshuler@hana:~$ gpg --list-secret-key --fingerprint FE4B2BDA gpg: please do a --check-trustdb sec rsa4096 2009-07-15 [SC] A26E 528B 271F 19B9 E5D8 E19E A278 B781 FE4B 2BDA uid [ unknown] Michael Shuler <mich...@pbandjelly.org> uid [ unknown] Michael Shuler <mshu...@gmail.com> ssb rsa4096 2009-07-15 [E] In 2016, someone took a list of the strong key set and uploaded keys with faked short-key identifiers matching those of existing keys. It's a joe job to identify the weakness of using short key identifiers. There are thousands of these fake keys, and they've been revoked. https://www.zdnet.com/article/pgp-security-weakness-exposed/ Drop that bogus key from apt-keys: apt-key del D46C5ECBFE4B2BDA This message is signed with the correct key. -- Kind regards, Michael
signature.asc
Description: OpenPGP digital signature