impala-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Todd Lipcon <t...@apache.org>
Subject Re: [VOTE] 2.10.0 release candidate 1 (RC1)
Date Mon, 28 Aug 2017 18:14:56 GMT
Hey Bharath,

Take a look at https://www.apache.org/dev/release-signing.html#web-of-trust
-- it has some info on the GPG "web of trust". Basically, you need to
either directly trust Jim's key 6850196C, or you need to trust someone who
trusts him, etc. If you haven't yourself signed or trusted anyone's keys,
then no one's signature will be considered trusted for you.

Typically projects also publish a KEYS file in their distribution directory
which would be able to verify that the signing key at least matches the one
that was uploaded via ASF infrastructure.

-Todd

On Mon, Aug 28, 2017 at 11:09 AM, Bharath Vissapragada <
bharathv@cloudera.com> wrote:

> + mentors
>
> Thanks for testing the release Matt. I ran into the same issue while
> testing it myself. So I double checked older releases 2.9.0 and 2.8.0 and I
> saw the same behavior.
>
> gpg --verify apache-impala-incubating-2.9.0.tar.gz.asc
> apache-impala-incubating-2.9.0.tar.gz
> gpg: Signature made Fri 02 Jun 2017 12:25:45 PM PDT using RSA key ID
> 9522D0F3
> gpg: Good signature from "Taras Bobrovytsky (CODE SIGNING KEY) <
> tarasbob@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 8B3E 3FC6 7005 4F52 2421  EEA9 8F3F 86FA 9522 D0F3
>
> gpg --verify apache-impala-incubating-2.8.0.tar.gz.asc
> apache-impala-incubating-2.8.0.tar.gz
> gpg: Signature made Sat 07 Jan 2017 10:50:22 AM PST using RSA key ID
> 6850196C
> gpg: Good signature from "Jim Apple (CODE SIGNING KEY) <jbapple@apache.org
> >"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 11EA E1B3 F3D9 9D7F 897E  4601 91EE 4306 6850 196C
>
> I tried to dig into it and this looks like a pretty common problem [1].
> But, I'm not totally sure about the standard practices to make a key
> trusted. Does anyone else in the community knows what are the best
> practices around this and how it works with other Apache projects?
>
> [1] https://serverfault.com/questions/569911/how-to-
> verify-an-imported-gpg-key
>
>
> On Mon, Aug 28, 2017 at 10:26 AM, Matthew Jacobs <mj@cloudera.com> wrote:
>
>> Bharath, is your key set up correctly?
>>
>> Running the script on
>> https://cwiki.apache.org/confluence/display/IMPALA/How+to+
>> Release#HowtoRelease-HowtoVoteonaReleaseCandidate
>> resulted in this warning indicating that your signature is not
>> trusted:
>>
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>>
>> Maybe someone who has RM'd before can comment on this.
>>
>>
>> ...
>> gpg: key 6850196C: public key "Jim Apple (CODE SIGNING KEY)
>> <jbapple@apache.org>" imported
>> gpg: key 9522D0F3: public key "Taras Bobrovytsky (CODE SIGNING KEY)
>> <tarasbob@apache.org>" imported
>> gpg: key 64DAB27C: public key "Bharath Vissapragada
>> <bharathv@apache.org>" imported
>> gpg: Total number processed: 3
>> gpg:               imported: 3  (RSA: 3)
>> gpg: no ultimately trusted keys found
>> + echo 'If in an interactive shell, At the prompt, enter '\''5'\'' for
>> '\''I trust ultimately'\'', then '\''y'\'' for '\''yes'\'', then
>> '\''q'\'' for '\''quit'\'''
>> If in an interactive shell, At the prompt, enter '5' for 'I trust
>> ultimately', then 'y' for 'yes', then 'q' for 'quit'
>> + [[ ehuxB == *i* ]]
>> + echo 'Download the release artifacts:'
>> Download the release artifacts:
>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz
>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.asc
>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.md5
>> + for SUFFIX in gz gz.asc gz.md5 gz.sha512
>> + wget -q https://dist.apache.org/repos/dist/dev/incubator/impala/2.10
>> .0/RC1/apache-impala-incubating-2.10.0.tar.gz.sha512
>> + echo 'Check the checksums:'
>> Check the checksums:
>> + md5sum --check apache-impala-incubating-2.10.0.tar.gz.md5
>> apache-impala-incubating-2.10.0.tar.gz: OK
>> + sha512sum --check apache-impala-incubating-2.10.0.tar.gz.sha512
>> apache-impala-incubating-2.10.0.tar.gz: OK
>> + echo 'Check the signature:'
>> Check the signature:
>> + gpg --verify apache-impala-incubating-2.10.0.tar.gz.asc
>> apache-impala-incubating-2.10.0.tar.gz
>> gpg: Signature made Sun 27 Aug 2017 06:48:18 PM PDT using RSA key ID
>> 64DAB27C
>> gpg: Good signature from "Bharath Vissapragada <bharathv@apache.org>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>>
>> On Sun, Aug 27, 2017 at 10:32 PM, Bharath Vissapragada
>> <bharathv@cloudera.com> wrote:
>> > This is a vote to release Impala 2.10.0.
>> >
>> > - The artefacts for testing can be downloaded from <
>> > https://dist.apache.org/repos/dist/dev/incubator/impala/2.10.0/RC1/>.
>> >
>> > - The git tag for this release candidate is 2.10.0-rc1 and tree hash is
>> > visible at
>> > <
>> > https://git-wip-us.apache.org/repos/asf?p=incubator-impala.g
>> it;a=tree;hb=2a7c8b9011905bfeb21b0610f0739f9df9daacef
>> >>
>> >
>> > Please vote +1 or -1. -1 votes should be accompanied by an explanation
>> of
>> > the reason. Only PPMC members and mentors have binding votes, but other
>> > community members are encouraged to cast non-binding votes. This vote
>> will
>> > pass if there are 3 binding +1 votes and more binding +1 votes than -1
>> > votes.
>> >
>> > This wiki page describes how to check the release before you vote:
>> > *https://cwiki.apache.org/confluence/display/IMPALA/How+to+
>> Release#HowtoRelease-HowtoVoteonaReleaseCandidate
>> > <https://cwiki.apache.org/confluence/display/IMPALA/How+to+
>> Release#HowtoRelease-HowtoVoteonaReleaseCandidate>*
>> >
>> > The vote will be open until the end of Wednesday, August 30, Pacific
>> time
>> > zone (UTC-08:00).
>> > Once the vote passes the Impala PPMC vote, it still must pass the
>> incubator
>> > PMC vote before a release is made.
>>
>
>


-- 
Todd Lipcon
Software Engineer, Cloudera

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message