Re: KEYS file?
On 11 Jul 2016, at 04:48, Shuai Lin> wrote: at least links to the keys used to sign releases on the download page +1 for that. really all release keys for ASF projects should be signed by others in the project and the broader ASF community; its really time for the next apachecons & similar to do key auth sessions. Oh, and you should be verifying full signatures; generating collisions in short signatures is now computationally feasible. I've authenticated patrick's key EEDA BD1C 71C5 48D6 F006 61D3 7C6C 105F FC8E D089 and pushed that fact up to the MIT keyservers; I'm willing to do the same for others over skype/F2F. And at some point someone needs to enhance ivy/maven to check GPG signatures of artifacts on the public repos. Checksum validation is meaningless unless you are getting the checksums from a trusted HTTPS server *and* the versions of the HTTP client you have gets its HTTPS signature logic right (something the asf commons http libs haven't always done).
Re: KEYS file?
Yeah the canonical place for a project's KEYS file for ASF projects is http://www.apache.org/dist/{project}/KEYS and so you can indeed find this key among: http://www.apache.org/dist/spark/KEYS I'll put a link to this info on the downloads page because it is important info. On Mon, Jul 11, 2016 at 4:48 AM, Shuai Lin <linshuai2...@gmail.com> wrote: >> at least links to the keys used to sign releases on the >> download page > > > +1 for that. > > On Mon, Jul 11, 2016 at 3:35 AM, Phil Steitz <phil.ste...@gmail.com> wrote: >> >> On 7/10/16 10:57 AM, Shuai Lin wrote: >> > Not sure where you see " 0x7C6C105FFC8ED089". I >> >> That's the key ID for the key below. >> > think the release is signed with the >> > key https://people.apache.org/keys/committer/pwendell.asc . >> >> Thanks! That key matches. The project should publish a KEYS file >> [1] or at least links to the keys used to sign releases on the >> download page. Could be there is one somewhere and I just can't >> find it. >> >> Phil >> >> [1] http://www.apache.org/dev/release-signing.html#keys-policy >> > >> > I think this tutorial can be >> > helpful: http://www.apache.org/info/verification.html >> > >> > On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz >> > <phil.ste...@gmail.com <mailto:phil.ste...@gmail.com>> wrote: >> > >> > I can't seem to find a link the the Spark KEYS file. I am >> > trying to >> > validate the sigs on the 1.6.2 release artifacts and I need to >> > import 0x7C6C105FFC8ED089. Is there a KEYS file available for >> > download somewhere? Apologies if I am just missing an obvious >> > link. >> > >> > Phil >> > >> > >> > >> > - >> > To unsubscribe e-mail: user-unsubscr...@spark.apache.org >> > <mailto:user-unsubscr...@spark.apache.org> >> > >> > >> >> > - To unsubscribe e-mail: user-unsubscr...@spark.apache.org
Re: KEYS file?
> > at least links to the keys used to sign releases on the > download page +1 for that. On Mon, Jul 11, 2016 at 3:35 AM, Phil Steitz <phil.ste...@gmail.com> wrote: > On 7/10/16 10:57 AM, Shuai Lin wrote: > > Not sure where you see " 0x7C6C105FFC8ED089". I > > That's the key ID for the key below. > > think the release is signed with the > > key https://people.apache.org/keys/committer/pwendell.asc . > > Thanks! That key matches. The project should publish a KEYS file > [1] or at least links to the keys used to sign releases on the > download page. Could be there is one somewhere and I just can't > find it. > > Phil > > [1] http://www.apache.org/dev/release-signing.html#keys-policy > > > > I think this tutorial can be > > helpful: http://www.apache.org/info/verification.html > > > > On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz > > <phil.ste...@gmail.com <mailto:phil.ste...@gmail.com>> wrote: > > > > I can't seem to find a link the the Spark KEYS file. I am > > trying to > > validate the sigs on the 1.6.2 release artifacts and I need to > > import 0x7C6C105FFC8ED089. Is there a KEYS file available for > > download somewhere? Apologies if I am just missing an obvious > > link. > > > > Phil > > > > > > - > > To unsubscribe e-mail: user-unsubscr...@spark.apache.org > > <mailto:user-unsubscr...@spark.apache.org> > > > > > > >
Re: KEYS file?
On 7/10/16 10:57 AM, Shuai Lin wrote: > Not sure where you see " 0x7C6C105FFC8ED089". I That's the key ID for the key below. > think the release is signed with the > key https://people.apache.org/keys/committer/pwendell.asc . Thanks! That key matches. The project should publish a KEYS file [1] or at least links to the keys used to sign releases on the download page. Could be there is one somewhere and I just can't find it. Phil [1] http://www.apache.org/dev/release-signing.html#keys-policy > > I think this tutorial can be > helpful: http://www.apache.org/info/verification.html > > On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz > <phil.ste...@gmail.com <mailto:phil.ste...@gmail.com>> wrote: > > I can't seem to find a link the the Spark KEYS file. I am > trying to > validate the sigs on the 1.6.2 release artifacts and I need to > import 0x7C6C105FFC8ED089. Is there a KEYS file available for > download somewhere? Apologies if I am just missing an obvious > link. > > Phil > > > - > To unsubscribe e-mail: user-unsubscr...@spark.apache.org > <mailto:user-unsubscr...@spark.apache.org> > > - To unsubscribe e-mail: user-unsubscr...@spark.apache.org
Re: KEYS file?
Not sure where you see " 0x7C6C105FFC8ED089". I think the release is signed with the key https://people.apache.org/keys/committer/pwendell.asc . I think this tutorial can be helpful: http://www.apache.org/info/verification.html On Mon, Jul 11, 2016 at 12:57 AM, Phil Steitz <phil.ste...@gmail.com> wrote: > I can't seem to find a link the the Spark KEYS file. I am trying to > validate the sigs on the 1.6.2 release artifacts and I need to > import 0x7C6C105FFC8ED089. Is there a KEYS file available for > download somewhere? Apologies if I am just missing an obvious link. > > Phil > > > - > To unsubscribe e-mail: user-unsubscr...@spark.apache.org > >
KEYS file?
I can't seem to find a link the the Spark KEYS file. I am trying to validate the sigs on the 1.6.2 release artifacts and I need to import 0x7C6C105FFC8ED089. Is there a KEYS file available for download somewhere? Apologies if I am just missing an obvious link. Phil - To unsubscribe e-mail: user-unsubscr...@spark.apache.org