[ https://issues.apache.org/jira/browse/AVRO-2604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16959486#comment-16959486 ]
Fokko Driesprong edited comment on AVRO-2604 at 10/25/19 7:12 AM: ------------------------------------------------------------------ I've added my key to http://archive.apache.org/dist/avro/KEYS I'll wait for it to propagate before removing the other one. The archives site is heavily cached. Updated to How To Release section as well: https://cwiki.apache.org/confluence/display/AVRO/How+To+Release was (Author: fokko): I've added my key to http://archive.apache.org/dist/avro/KEYS I'll wait for it to propagate before removing the other one. The archives site is heavily cached. > Artifacts were signed with a key not in KEYS > -------------------------------------------- > > Key: AVRO-2604 > URL: https://issues.apache.org/jira/browse/AVRO-2604 > Project: Apache Avro > Issue Type: Bug > Components: community, release > Affects Versions: 1.9.1 > Reporter: Eric Peterson > Assignee: Fokko Driesprong > Priority: Critical > > Downloads need to be checked against the KEYS obtained from the Avro project. > Importing the current KEYS file gives: > {noformat} > $ gpg --import KEYS > gpg: key 0xDBAF69BEA7239D59: public key "Doug Cutting (Lucene guy) > <cutt...@apache.org>" imported > gpg: key 0xB5E0D06745472392: public key "Jeff Hammerbacher (CODE SIGNING KEY) > <ham...@apache.org>" imported > gpg: key 0x4FB955854318F669: 3 signatures not checked due to missing keys > gpg: key 0x4FB955854318F669: public key "Tom White (CODE SIGNING KEY) > <tomwh...@apache.org>" imported > gpg: key 0x99CCC523E1BE8DBE: public key "Tom White (APACHE CODE SIGNING KEY) > <tomwh...@apache.org>" imported > gpg: key 0xFCB3CBD9D3924CCD: public key "Ryan Blue (CODE SIGNING KEY) > <b...@apache.org>" imported > gpg: key 0x807934FCCCC7C3A8: public key "Suraj Acharya <suraj....@gmail.com>" > imported > gpg: Total number processed: 6 > gpg: imported: 6 > gpg: no ultimately trusted keys found > {noformat} > But the 1.9.1 release artifacts were not signed with any of the PGP keys in > that file, for example: > {noformat} > $ for asc in *.asc; do > gpg --verify $asc > echo > done > gpg: assuming signed data in 'Avro-1.9.1.tar.gz' > gpg: Signature made Wed Aug 28 05:38:13 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > gpg: assuming signed data in 'avro-cpp-1.9.1.tar.gz' > gpg: Signature made Wed Aug 28 05:38:23 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > gpg: assuming signed data in 'avro-doc-1.9.1.tar.gz' > gpg: Signature made Wed Aug 28 05:38:23 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > gpg: assuming signed data in 'avro-js-1.9.1.tgz' > gpg: Signature made Wed Aug 28 05:38:13 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > gpg: assuming signed data in 'avro-python3-1.9.1.tar.gz' > gpg: Signature made Wed Aug 28 05:38:13 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > gpg: assuming signed data in 'avro-src-1.9.1.tar.gz' > gpg: Signature made Wed Aug 28 05:38:23 2019 EDT > gpg: using RSA key CEF487F848109B4C8B8AC18DE4AE0EB72D112483 > gpg: Can't check signature: No public key > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005)